MS09-048: Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution (967723)

High Nessus Plugin ID 40891

Synopsis

Multiple vulnerabilities in the Windows TCP/IP implementation could lead to denial of service or remote code execution.

Description

The TCP/IP implementation on the remote host has multiple flaws that could allow remote code execution if an attacker sent specially crafted TCP/IP packets over the network to a computer with a listening service :

- A denial of service vulnerability exists in TCP/IP processing in Microsoft Windows due to the way that Windows handles an excessive number of established TCP connections. The affect of this vulnerability can be amplified by the requirement to process specially crafted packets with a TCP receive window size set to a very small value or zero. An attacker could exploit the vulnerability by flooding a system with specially crafted packets causing the affected system to stop responding to new requests or automatically restart.
(CVE-2008-4609)

- A remote code execution vulnerability exists in the Windows TCP/IP stack due to the TCP/IP stack not cleaning up state information correctly. This causes the TCP/IP stack to reference a field as a function pointer when it actually contains other information. An anonymous attacker could exploit the vulnerability by sending specially crafted TCP/IP packets to a computer that has a service listening over the network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. (CVE-2009-1925)

- A denial of service vulnerability exists in TCP/IP processing in Microsoft Windows due to an error in the processing of specially crafted packets with a small or zero TCP receive window size. If an application closes a TCP connection with pending data to be sent and an attacker has set a small or zero TCP receive window size, the affected server will not be able to completely close the TCP connection. An attacker could exploit the vulnerability by flooding a system with specially crafted packets causing the affected system to stop responding to new requests. The system would remain non-responsive even after the attacker stops sending malicious packets. (CVE-2009-1926)

Solution

Microsoft has released a set of patches for Windows 2003, Vista and 2008.

See Also

https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-048

Plugin Details

Severity: High

ID: 40891

File Name: smb_nt_ms09-048.nasl

Version: 1.30

Type: local

Agent: windows

Published: 2009/09/08

Updated: 2018/11/15

Dependencies: 57033, 13855

Risk Information

Risk Factor: High

CVSS v2.0

Base Score: 7.6

Temporal Score: 6.3

Vector: CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C

Temporal Vector: CVSS2#E:F/RL:OF/RC:C

Vulnerability Information

CPE: cpe:/o:microsoft:windows

Required KB Items: SMB/MS_Bulletin_Checks/Possible

Exploit Available: true

Exploit Ease: Exploits are available

Patch Publication Date: 2009/09/08

Vulnerability Publication Date: 2009/09/08

Exploitable With

Core Impact

Reference Information

CVE: CVE-2008-4609, CVE-2009-1925, CVE-2009-1926

BID: 31545, 36265, 36269

MSFT: MS09-048

MSKB: 967723

IAVA: 2009-A-0077

CWE: 16, 94