HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

CERT-In Vulnerability Note CIVN-2008-127
IPsec Policy Processing Information Disclosure Vulnerability

Original Issue Date: August 14, 2008

Severity Rating: Medium

Systems Affected

  • Windows Vista and Windows Vista Service Pack 1
  • Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
  • Windows Server 2008 for 32-bit Systems installed using the Server Core installation option
  • Windows Server 2008 for x64-based Systems installed using the Server Core installation option
  • Windows Server 2008 for Itanium-based Systems installed using the Server Core installation option

Overview

An Information Disclosure vulnerability has been reported in Windows Internet Protocol Security (IPsec) rules, which could cause systems to ignore IPsec policies and disclose information transmitted on the network in clear text.

Description

The Vulnerability is caused due to an error while importing the IPsec policies from Windows Server 2003 domain to Windows Server 2008 domains. Successful exploitation of this issue could cause systems to ignore IPsec policies and transmit network traffic in clear text instead of encrypting . This vulnerability could allow an attacker to view and possibly modify the contents of the traffic on the network.

Workaround

  • Uncheck the "Default Response Rule" during IPsec policy
    creation on Windows Vista and Windows Server 2008.

To emulate this rule in Windows Vista and Windows Server 2008, refer to Microsoft Knowledge Base Article 942964.

Solution

Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS08-047

Vendor Information

 Microsoft
http://www.microsoft.com/technet/security/bulletin/ms08-047.mspx

References

Secunia
http://secunia.com/advisories/31411

SecurityTracker
http://securitytracker.com/alerts/2008/Aug/1020678.html

FrSIRT
http://www.frsirt.com/english/advisories/2008/2351

SecurityFocus
http://www.securityfocus.com/bid/30634/info

CVE Name
CVE-2008-2246

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003