HighProventia-G 1.1 and earlier, Proventia Server IPS for Microsoft Windows technology, Proventia Network MFS, Proventia Network IPS, Proventia Desktop, Proventia Server IPS for Linux technology, RealSecure Network, RealSecure Server Sensor, BlackICE PC Protection, BlackICE Server Protection:
This signature detects attempts to overflow a buffer using SSM packets.
High
Proventia-G 1.1 and earlier: XPU 27.070, Proventia Server IPS for Microsoft Windows technology: 1.0.914.2080, Proventia Network MFS: XPU 27.070, Proventia Network IPS: XPU 27.070, Proventia Desktop: 2080, Proventia Server IPS for Linux technology: 27.070, RealSecure Network: XPU 27.070, RealSecure Server Sensor: XPU 27.070, BlackICE PC Protection: 3.6cqn, BlackICE Server Protection: 3.6.cqn
Microsoft Small Business Server: 2003 SP1, Microsoft Small Business Server: 2003 R2, Microsoft Small Business Server: 2003 R2 SP2, Microsoft Windows Home Server, Microsoft Windows 2003 Server: SP2 Itanium, Microsoft Windows 2003 Server: SP2, Microsoft Windows XP: SP2 Professional x64, Microsoft Windows 2003 Server: SP2 x64, Microsoft Windows Vista: x64, Microsoft Windows Vista, Microsoft Windows XP: Professional x64, Microsoft Windows 2003 Server: SP1 Itanium, Microsoft Windows 2003 Server: SP1, Microsoft Windows XP: SP2, Microsoft Windows 2003 Server: x64
Unauthorized Access Attempt
The Microsoft Windows TCP/IP implementation is vulnerable to multiple buffer overflows in the Source Specific Multicasting (SSM) timers caused by improper handling of IGMPv3 and MLDv2 packets. By sending a series of malformed IGMPv3 or MLDv2 packets to a vulnerable host, a remote attacker could overflow a buffer and execute arbitrary code on the system.
Apply the appropriate patch for your system, as listed in the latest Microsoft Security Bulletin. See References.
— OR —
Use Microsoft Automatic Update if it is supported by your operating system. The original bulletin issued by Microsoft has been superceded.
Microsoft Security Bulletin MS08-001
Vulnerabilities in TCP/IP Could Allow Remote Code Execution (941644)
http://www.microsoft.com/technet/security/bulletin/ms08-001.mspx
IBM Internet Security Systems X-Force Database
Microsoft Windows TCP/IP Source Specific Multicasting (SSM) IGMPv3 buffer overflow
http://xforce.iss.net/xforce/xfdb/39452
IBM Internet Security Systems X-Force Database
Microsoft Windows TCP/IP Source Specific Multicasting (SSM) MLDv2 buffer overflow
http://xforce.iss.net/xforce/xfdb/39453
Nortel BULLETIN ID: 2008008560
Centrex IP Client Manager (CICM) response to Microsoft January security bulletin
http://support.nortel.com/go/main.jsp?cscat=BLTNDETAIL&id=683011
Microsoft Security Bulletin MS08-004
Vulnerability in Windows TCP/IP Could Allow Denial of Service (946456)
http://www.microsoft.com/technet/security/bulletin/ms08-004.mspx
ISS X-Force
Microsoft Windows TCP/IP Source Specific Multicasting (SSM) multiple buffer overflows
http://www.iss.net/security_center/static/35059.php
CVE
CVE-2007-0069
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-0069