MediumIBM Security Server Protection for Windows, Proventia Network IDS, Proventia-G 1.1 and earlier, Proventia Network MFS, BlackICE PC Protection, BlackICE Server Protection, RealSecure Server Sensor, RealSecure Network, Proventia Network IPS, Proventia Desktop, Virtual Server Protection for Vmware, Proventia Server IPS for Linux technology:
This signature detects potential Denial of Service attacks caused by a series of ICMP Router Advertisements.
Medium
IBM Security Server Protection for Windows: 2.1.14.2400, IBM Security Server Protection for Windows: 2.0.252.2140, IBM Security Server Protection for Windows: 1.0.914.2140, Proventia Network IDS: XPU 28.010, Proventia-G 1.1 and earlier: XPU 28.010, Proventia Network MFS: XPU 28.010, BlackICE PC Protection: 3.6cqt, BlackICE Server Protection: 3.6.cqt, RealSecure Server Sensor: XPU 28.010, RealSecure Network: XPU 28.010, Proventia Network IPS: XPU 28.010, Proventia Desktop: 2140, Virtual Server Protection for Vmware: 1.0, Proventia Server IPS for Linux technology: 28.010
Microsoft Windows 2000: SP4, Microsoft Windows 2003 Server: x64, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: x64 Professional, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows Server 2003: SP2, Microsoft Windows Server 2003: SP2 Itanium, Microsoft Windows Server 2003: SP2 x64, Microsoft Windows XP: SP2 x64 Professional, Microsoft Small Business Server: 2003 SP1, Microsoft Small Business Server: 2003 R2, Microsoft Small Business Server: 2003 R2 SP2, Microsoft Windows Home Server
Denial of Service
The Microsoft Windows TCP/IP implementation is vulnerable to a denial of service caused by improper handling of ICMP requests. By sending a series of malformed ICMP requests to a vulnerable host, a remote attacker could cause the system to stop responding to legitimate requests. The system must be rebooted to regain normal functionality.
Note: It may be possible to exploit this vulnerability to execute arbitrary code on the system.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superseded.
Microsoft Security Bulletin MS08-001
Vulnerabilities in TCP/IP Could Allow Remote Code Execution (941644)
http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
IBM Internet Security Systems Protection Advisory, Jan. 8, 2008
Multiple (3) Microsoft Windows TCP/IP Remote Code Execution and DoS Vulnerabilities
http://www.iss.net/threats/282.html
Nortel BULLETIN ID: 2008008560
Centrex IP Client Manager (CICM) response to Microsoft January security bulletin
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=683011
Microsoft Security Bulletin MS08-004
Vulnerability in Windows TCP/IP Could Allow Denial of Service (946456)
http://www.microsoft.com/technet/security/bulletin/ms08-004.mspx
ISS X-Force
Microsoft Windows TCP/IP ICMP denial of service
http://www.iss.net/security_center/static/39254.php
CVE
CVE-2007-0066
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0066