MS09-048: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)

high Nessus Plugin ID 40891

Synopsis

Multiple vulnerabilities in the Windows TCP/IP implementation could lead to denial of service or remote code execution.

Description

The TCP/IP implementation on the remote host has multiple flaws that could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service :

- A denial of service vulnerability exists in TCP/IP processing in Microsoft Windows due to the way that Windows handles an excessive number of established TCP connections. The affect of this vulnerability can be amplified by the requirement to process specially crafted packets with a TCP receive window size set to a very small value or zero. An attacker could exploit the vulnerability by flooding a system with specially crafted packets causing the affected system to stop responding to new requests or automatically restart.
(CVE-2008-4609)

- A remote code execution vulnerability exists in the Windows TCP/IP stack due to the TCP/IP stack not cleaning up state information correctly. This causes the TCP/IP stack to reference a field as a function pointer when it actually contains other information. An anonymous attacker could exploit the vulnerability by sending specially crafted TCP/IP packets to a computer that has a service listening over the network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. (CVE-2009-1925)

- A denial of service vulnerability exists in TCP/IP processing in Microsoft Windows due to an error in the processing of specially crafted packets with a small or zero TCP receive window size. If an application closes a TCP connection with pending data to be sent and an attacker has set a small or zero TCP receive window size, the affected server will not be able to completely close the TCP connection. An attacker could exploit the vulnerability by flooding a system with specially crafted packets causing the affected system to stop responding to new requests. The system would remain non-responsive even after the attacker stops sending malicious packets. (CVE-2009-1926)

Solution

Microsoft has released a set of patches for Windows 2003, Vista and 2008.

See Also

https://www.nessus.org/u?f87ddf5d

Plugin Details

Severity: High

ID: 40891

File Name: smb_nt_ms09-048.nasl

Version: 1.31

Type: local

Agent: windows

Published: 9/8/2009

Updated: 8/5/2020

Supported Sensors: Nessus

Risk Information

VPR

Risk Factor: High

Score: 7.4

CVSS v2

Risk Factor: High

Base Score: 7.6

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Vulnerability Information

CPE: cpe:/o:microsoft:windows

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 9/8/2009

Vulnerability Publication Date: 9/8/2009

Exploitable With

Core Impact

Reference Information

CVE: CVE-2008-4609, CVE-2009-1925, CVE-2009-1926

BID: 31545, 36265, 36269

CWE: 16, 94

IAVA: 2009-A-0077-S

MSFT: MS09-048

MSKB: 967723