Lucene search

K
securityvulnsSecurityvulnsSECURITYVULNS:DOC:20339
HistoryAug 12, 2008 - 12:00 a.m.

Microsoft Security Bulletin MS08-047 – Important Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733)

2008-08-1200:00:00
vulners.com
18

Microsoft Security Bulletin MS08-047 – Important
Vulnerability in IPsec Policy Processing Could Allow Information Disclosure (953733)
Published: August 12, 2008

Version: 1.0
General Information
Executive Summary

This update resolves a privately reported vulnerability in the way certain Windows Internet Protocol Security (IPsec) rules are applied. This vulnerability could cause systems to ignore IPsec policies and transmit network traffic in clear text. This, in turn, would disclose information intended to be encrypted on the network. An attacker viewing the traffic on the network would be able to view and possibly modify the contents of the traffic. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly. It could be used to collect useful information to try to further compromise the affected system or network.

This update is rated Important for all supported versions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

The security update addresses the vulnerability by ensuring that IPsec rules are processed appropriately. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability entry under the next section, Vulnerability Information.

Recommendation. Microsoft recommends that customers apply the update at the earliest opportunity.

Known Issues. None
Top of sectionTop of section
Affected and Non-Affected Software

The following software have been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.

Affected Software
Operating System Maximum Security Impact Aggregate Severity Rating Bulletins Replaced by this Update

Windows Vista and Windows Vista Service Pack 1

Information Disclosure

Important

None

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

Information Disclosure

Important

None

Windows Server 2008 for 32-bit Systems*

Information Disclosure

Important

None

Windows Server 2008 for x64-based Systems*

Information Disclosure

Important

None

Windows Server 2008 for Itanium-based Systems

Information Disclosure

Important

None

*Windows Server 2008 server core installation affected. For supported editions of Windows Server 2008, this update applies, with the same severity rating, whether or not Windows Server 2008 was installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.

Non-Affected Software
Operating System

Windows 2000 Service Pack 4

Windows XP Service Pack 2 and Windows XP Service Pack 3

Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2

Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2

Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
Top of sectionTop of section

Frequently Asked Questions (FAQ) Related to This Security Update

Where are the file information details?
The file information details can be found in Microsoft Knowledge Base Article 953733.

I am using an older release of the software discussed in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which releases are affected. Other releases are past their support life cycle. To determine the support life cycle for your software release, visit Microsoft Support Lifecycle.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit Microsoft Support Lifecycle. For more information about the extended security update support period for these software versions or editions, visit Microsoft Product Support Services.

Customers who require custom support for older releases must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit Microsoft Worldwide Information, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.
Top of sectionTop of section
Vulnerability Information

Severity Ratings and Vulnerability Identifiers
Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software IPsec Policy Information Disclosure Vulnerability - CVE-2008-2246 Aggregate Severity Rating

Windows Vista and Windows Vista Service Pack 1

Important
Information Disclosure

Important

Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1

Important
Information Disclosure

Important

Windows Server 2008 for 32-bit Systems

Important
Information Disclosure

Important

Windows Server 2008 for x64-based Systems

Important
Information Disclosure

Important

Windows Server 2008 for Itanium-based Systems

Important
Information Disclosure

Important
Top of sectionTop of section

IPsec Policy Information Disclosure Vulnerability - CVE-2008-2246

An information disclosure vulnerability exists in the manner in which IPsec policies are imported to Windows Server 2008 domains from Windows Server 2003 domains. This vulnerability could cause systems to ignore IPsec policies and transmit network traffic in clear text. This, in turn, would potentially disclose information intended to be encrypted on the network. An attacker intercepting the traffic on the network would be able to view and possibly modify the contents of the traffic. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly. It could be used to collect useful information to try to further compromise the affected system.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2008-2246.

Mitigating Factors for IPsec Policy Information Disclosure Vulnerability - CVE-2008-2246

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

In Windows Vista and Windows Server 2008, the default response rule is not automatically enabled. The default response rule is enabled automatically only when you create an IPsec policy via versions of Windows earlier than Windows Vista and Windows Server 2008.
Top of sectionTop of section

Workarounds for IPsec Policy Information Disclosure Vulnerability - CVE-2008-2246

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

Do not select the "Default Response Rule" during IPsec policy creation or uncheck this rule from existing policies as this rule is no longer valid on Windows Vista and Windows Server 2008 and is only applicable on earlier versions of Windows. To emulate this rule in Windows Vista and Windows Server 2008, refer to Microsoft Knowledge Base Article 942964.
Top of sectionTop of section

FAQ for IPsec Policy Information Disclosure Vulnerability - CVE-2008-2246

What is the scope of the vulnerability?
This is an information disclosure vulnerability. An attacker who successfully exploited this vulnerability could read the contents of network traffic that would otherwise be encrypted. Note that this vulnerability would not allow an attacker to execute code or to elevate their user rights directly. It could be used to collect useful information to try to further compromise the affected system.

What causes the vulnerability?
This vulnerability results from an error when the default IPsec policy is imported from a Windows Server 2003 domain to a Windows Server 2008 domain. Under certain circumstances, this error could cause all IPsec rules to be ignored.

What is IPsec?
Internet Protocol security (IPsec) is a framework of open standards for ensuring private, secure communications over Internet Protocol (IP) networks through the use of cryptographic security services. The Internet Engineering Task Force (IETF) IPsec working group defines the IPsec standards.

IPsec is the long-term direction for secure networking. It provides aggressive protection against private network and Internet attacks through end-to-end security. The only computers that must know about IPsec protection are the sender and receiver in the communication. IPsec provides the ability to protect communication between workgroups, local area network computers, domain clients and servers, branch offices (which might be physically remote), extranets, and roving clients. For more information about IPsec, see the following Microsoft Web site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability would be able to view, and in some cases modify, network traffic in clear text that was intended to be encrypted.

How could an attacker exploit the vulnerability?
This vulnerabilit could cause a security feature to malfunction. In order to take advantage of this issue, it requires an attacker to be monitoring network traffic. The attacker would be able to read and possibly modify the contents of the network traffic observed from their particular vantage point. Under normal circumstances, IPsec policies protect this traffic from interception by encrypting the contents. An attacker could not cause this situation to occur unless they previously obtained administrative permissions to the domain controller. Instead, they would rely on an administrator to unknowingly misconfigure the IPsec rule set and cause information to be transmitted in the clear.

What systems are primarily at risk from the vulnerability?
Windows Vista Workstations and Windows Server 2008 Servers subject to IPsec policies residing in a Windows Server 2008 domain upgraded from a Windows Server 2003 domain are primarily at risk.

What does the update do?
The update removes the vulnerability by ensuring IPsec rules are processed in the appropriate manner.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Other Information
Support

Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.

International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

V1.0 (August 12, 2008): Bulletin published.

Related for SECURITYVULNS:DOC:20339