HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2008-83
Microsoft Pragmatic General Multicast Denial of Service Vulnerabilities

Original Issue Date: June 12, 2008

Severity Rating: Medium

System Affected

  • Windows XP SP2 and Windows XP SP3
  • Windows XP Professional x64 Edition and Windows XP Professional x64 Edition SP2
  • Windows Server 2003 SP1 and Windows Server 2003 SP2
  • Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems
  • Windows Vista and Windows Vista SP1
  • Windows Vista x64 Edition and Windows Vista x64 Edition SP1
  • Windows Server 2008 for 32-bit Systems
  • Windows Server 2008 for x64-based Systems
  • Windows Server 2008 for Itanium-based Systems

Overview

Two Denial of Service vulnerabilities has been reported in implementations of Pragmatic General Multicast (PGM) protocol on Microsoft Windows.

Description

 PGM is a multicast protocol that enables receiver to be responsible for the reliability of the communication.

1. PGM Invalid Option Length Vulnerability (CVE-2008-1440)

This vulnerability is due to input validation error in PGM protocol. An attacker could exploit this vulnerability via specially crafted PGM packets with invalid option length field.

2. PGM Invalid Fragment Option Vulnerability (CVE-2008-1441)

This vulnerability is due to input validation error in PGM protocol. An attacker could exploit this vulnerability via specially crafted PGM packets with invalid fragment option.

Successful exploitation of these vulnerabilities could cause the affected system to stop responding and automatically restart.

Solution

 Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS08-0036


Vendor Information

 Microsoft
http://www.microsoft.com/technet/security/bulletin/MS08-036.mspx

References

 Microsoft
http://www.microsoft.com/technet/security/bulletin/MS08-036.mspx

Secunia
http://secunia.com/advisories/30587/

CVE Name
CVE-2008-1440
CVE-2008-1441

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003