LowBlackICE Server Protection, BlackICE PC Protection, RealSecure Server Sensor, RealSecure Network, Proventia Server IPS for Linux technology, Proventia Network IPS, Proventia Desktop, Proventia Network MFS, Proventia Server IPS for Microsoft Windows technology, Proventia-G 1.1 and earlier:
This signature detects potential Denial of Service attacks caused by a series of ICMP Router Advertisements.
Low
BlackICE Server Protection: 3.6.cqt, BlackICE PC Protection: 3.6cqt, RealSecure Server Sensor: XPU 28.010, RealSecure Network: XPU 28.010, Proventia Server IPS for Linux technology: 28.010, Proventia Network IPS: XPU 28.010, Proventia Desktop: 2140, Proventia Network MFS: XPU 28.010, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2140, Proventia Server IPS for Microsoft Windows technology: 2.0.252.2140, Proventia-G 1.1 and earlier: XPU 28.010
Microsoft Windows Home Server, Microsoft Small Business Server: 2003 R2 SP2, Microsoft Small Business Server: 2003 R2, Microsoft Small Business Server: 2003 SP1, Microsoft Windows 2003 Server: SP2 x64, Microsoft Windows XP: SP2 Professional x64, Microsoft Windows 2003 Server: SP2 Itanium, Microsoft Windows 2003 Server: SP2, Microsoft Windows 2003 Server: SP1, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows XP: Professional x64, Microsoft Windows XP: SP2, Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64
Denial of Service
The Microsoft Windows TCP/IP implementation is vulnerable to a denial of service caused by improper handling of ICMP requests. By sending a series of malformed ICMP requests to a vulnerable host, a remote attacker could cause the system to stop responding to legitimate requests. The system must be rebooted to regain normal functionality.
Note: It may be possible to exploit this vulnerability to execute arbitrary code on the system.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superceded.
Microsoft Security Bulletin MS08-001
Vulnerabilities in TCP/IP Could Allow Remote Code Execution (941644)
http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
IBM Internet Security Systems Protection Advisory, Jan. 8, 2008
Multiple (3) Microsoft Windows TCP/IP Remote Code Execution and DoS Vulnerabilities
http://www.iss.net/threats/282.html
Nortel BULLETIN ID: 2008008560
Centrex IP Client Manager (CICM) response to Microsoft January security bulletin
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=683011
Microsoft Security Bulletin MS08-004
Vulnerability in Windows TCP/IP Could Allow Denial of Service (946456)
http://www.microsoft.com/technet/security/bulletin/ms08-004.mspx
ISS X-Force
Microsoft Windows TCP/IP ICMP denial of service
http://www.iss.net/security_center/static/39254.php
CVE
CVE-2007-0066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0066