This month we released MS09-048 which addresses three vulnerabilities in the Windows TCP/IP stack. One of the vulnerabilities, CVE-2009-1925, is rated Critical due to the risk of Remote Code Execution (RCE). The other two vulnerabilities are Denial of Service (DoS) issues (due to memory exhaustion) without the risk of RCE.
The Exploit Index rating for CVE-2009-1925 is 2 (Medium), and this blog post is intended to provide more information on the exploitability of this issue, and the reasons why the risk of RCE is lower than the Critical rating may imply. We also provide information on the new memory exhaustion protections that were implemented to address the DoS vulnerabilities.
Why is the severity “Critical” in the bulletin?
The TCP/IP stack is a part of the Windows kernel, and handles low-level networking protocols such as IP, TCP and UDP. The vulnerability tracked by CVE-2009-1925 allows an attacker to cause the TCP/IP stack, under certain conditions, to execute code at an invalid address. This can be done by a remote, anonymous attacker. Since executing at an invalid address is something that could be leveraged by an attacker to gain RCE, we rated the bulletin using this “worst case” impact, hence the Critical severity in the security bulletin.
Why is the Exploitability Index rating Medium?
The Exploitability Index is intended to provide guidance to help prioritize patch deployment. The Exploitability Index rating is based on the probability that a reliable code-execution exploit will be created within 30 days of the bulletin release [1]. For various reasons, we do not anticipate a reliable code-execution exploit will be produced for this vulnerability. Specifically:
- The vulnerability is due to TCP/IP incorrectly using a field that contains a hash value for the TCP connection, and treating the hash value as a function pointer.
- The hash value is computed using the Toeplitz Hash (described in detail here). This hash algorithm takes a random key as input. The key is not known to the attacker and not under the attacker’s control, which means the resulting hash value is not under the attacker’s control.
- This effectively means the address which will be invoked as a function pointer is a random value that cannot be predicted by the attacker.
- An attacker may be able to “spray” kernel memory with their malicious payload, and this would increase the chance that a random address would be within data they control. This would still be unreliable.
Due to the above, except in staged scenarios where the attacker knows details about the random key used by the target computer, RCE exploits will not be reliable. As a result we assigned a Medium rating in the Exploitability Index.
Will Denial of Service (DoS) attacks be reliable?
Attackers will be able to trigger this vulnerability to cause a system crash (bugcheck) when the invalid address is executed – this would a system-level Denial of Service (DoS). Systems that are exposed to untrusted users should be patched to protect against DoS attacks. It is also possible to mitigate against the attacks by using network firewalls that block the attack.
New protections against memory exhaustion attacks
With this security update, we are introducing new protections in the TCP/IP stack to prevent memory exhaustion attacks. The new protections are enabled by default on Windows Server 2003 and 2008, but not on Windows Vista. The protections will activate when the system is under severe memory pressure (when the system runs very low on nonpaged kernel memory). At this point, TCP connections will be dropped at random, helping to keep the system operational. This feature can be controlled using netsh and the registry as outlined in KB 974288.
Servers that are under heavy load during normal operating conditions may experience severe memory pressure that would trigger the new protections. To prevent the new protections from activating and dropping connections, the administrator can follow the instruction in KB 974288 to disable the protections or exclude specific TCP ports.
To protect systems where the new protection feature cannot be used, a NAT or reverse proxy could shield the system. For example, to protect Windows 2000 systems, a device that is not vulnerable to the DoS attacks could proxy incoming connections.
References
1. Microsoft Exploitability Index, http://technet.microsoft.com/en-us/security/cc998259.aspx
Updated September 11, 2009: Notes added about KB 974288 to answer customer questions.
- Mark Wodrich, MSRC Engineering
Posting is provided “AS IS” with no warranties, and confers no rights.