| VID |
26457 |
| Severity |
40 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The Hotfix (967723) for 'Vulnerabilities in Windows TCP/IP Could Allow Remote Code Execution' has not been applied.
TCP/IP Zero Window Size Vulnerability - A denial of service vulnerability exists in TCP/IP processing in Microsoft Windows due to the way that Windows handles an excessive number of established TCP connections. The effect of this vulnerability can be amplified by the requirement to process specially crafted packets with a TCP receive window size set to a very small value or zero. An attacker could exploit the vulnerability by flooding a system with specially crafted packets causing the affected system to stop responding to new requests or automatically restart.
TCP/IP Timestamps Code Execution Vulnerability - A remote code execution vulnerability exists in the Windows TCP/IP stack due to the TCP/IP stack not cleaning up state information correctly. This causes the TCP/IP stack to reference a field as a function pointer when it actually contains other information. An anonymous attacker could exploit the vulnerability by sending specially crafted TCP/IP packets to a computer that has a service listening over the network. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
TCP/IP Orphaned Connections Vulnerability - A denial of service vulnerability exists in TCP/IP processing in Microsoft Windows due to an error in the processing of specially crafted packets with a small or zero TCP receive window size. If an application closes a TCP connection with pending data to be sent and an attacker has set a small or zero TCP receive window size, the affected server will not be able to completely close the TCP connection. An attacker could exploit the vulnerability by flooding a system with specially crafted packets causing the affected system to stop responding to new requests. The system would remain non-responsive even after the attacker stops sending malicious packets.
* Note: This check requires an account with administrative privileges which can log into the host to scan. Absence of this condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.microsoft.com/technet/security/bulletin/MS09-048.mspx
* Platforms Affected:
Microsoft Windows 2000 SP4
Microsoft Windows XP SP2 and SP3
Windows Server 2003 SP2
Windows Vista SP1 and SP2
Windows Server 2008 and SP2 |
| Recommendation |
Apply the appropriate patch (967723)for your system, as listed in Microsoft Security Bulletin MS09-048 at http://www.microsoft.com/technet/security/Bulletin/MS09-048.mspx
-- OR --
Patches for Windows platforms are also available from the Microsoft Windows Update Web site, http://windowsupdate.microsoft.com. Windows Update detects what version of Windows you are running and offers the appropriate patch. |
| Related URL |
CVE-2009-2498,CVE-2009-2499 (CVE) |
| Related URL |
36225,36228 (SecurityFocus) |
| Related URL |
(ISS) |
|
