Vulnerability

CERT-In Vulnerability Note CIVN-2009-0126
Multiple Vulnerabilities in Microsoft Windows Kernel

Original Issue Date:October 15, 2009

Severity Rating: HIGH

Systems Affected

Microsoft Windows 2000 Service Pack 4
Windows XP Service Pack 2 and Windows XP Service Pack 3
Windows XP Professional x64 Edition Service Pack 2
Windows Server 2003 Service Pack 2
Windows Server 2003 x64 Edition Service Pack 2
Windows Server 2003 with SP2 for Itanium-based Systems
Windows Vista and Windows Vista Service Pack 1
Windows Vista Service Pack 2
Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1
Windows Vista x64 Edition Service Pack 2
Windows Server 2008 and Windows Server 2008 Service Pack 2 including Server Core
Windows Server 2008 x64 Edition and Windows Server 2008 x64 Edition Service Pack 2 including Server Core
Windows Server 2008 for Itanium-based Systems and Windows Server 2008 for Itanium-based Systems Service Pack 2

Overview

Multiple vulnerabilities have been reported in Microsoft Windows Kernel. Successful exploitation of any of these vulnerabilities could either allow elevation of privilege or cause Denial of Service DoS . An attacker could then execute an arbitrary code and take complete control of the affected system.

Description

The Windows kernel is the core of the operating system. It provides system level services such as device management, memory management, allocates processor time to processes, and manages error handling.

PAE is an Intel-provided memory address extension that enables support of greater than 4 GB of physical memory for most 32-bit (IA-32) Intel Pentium Pro and later platforms. Although support for PAE memory is typically associated with support for more than 4 GB of RAM, PAE can be enabled on Windows XP SP2, Windows Server 2003, and later 32-bit versions of Windows to support hardware enforced Data Execution Prevention (DEP).

1. Windows Kernel Integer Underflow Vulnerability ( CVE-2009-2515 )

This is an elevation of privilege vulnerability which is caused as Windows kernel does not correctly truncate a 64-bit value to a 32-bit value. This result in an integer underflow when the value is later subtracted from another value.

An attacker would have to log on to the system. Successful exploitation of this vulnerability could execute arbitrary code in kernel mode and take complete control of an affected system.

Note: On 32-bit systems, this vulnerability can only be triggered if the system uses Physical Address Extension (PAE).

2. Windows Kernel NULL Pointer Dereference Vulnerability ( CVE-2009-2516 )

This is an elevation of privilege vulnerability which is caused as Windows kernel does not properly validate certain data passed from user mode.

An attacker would have to place a specially crafted application either on a target system or on a network share. Successful exploitation of this vulnerability could execute arbitrary code in kernel mode and take complete control of an affected system.

3. Windows Kernel Exception Handler Vulnerability ( CVE-2009-2517 )

This is a Denial of Service (DoS) vulnerability which is caused as Windows kernel does not properly handle certain exceptions.

An attacker would first have to log on to the system. Successful exploitation of this vulnerability could cause the affected system to stop responding and automatically restart.

Solution

Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS09-058

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms09-058.mspx

References

Secunia
http://secunia.com/advisories/37001/

SecurityTracker
http://securitytracker.com/alerts/2009/Oct/1023003.html

SecurityFocus
http://www.securityfocus.com/bid/36623
http://www.securityfocus.com/bid/36624
http://www.securityfocus.com/bid/36625

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=19177
http://tools.cisco.com/security/center/viewAlert.x?alertId=19178
http://tools.cisco.com/security/center/viewAlert.x?alertId=19179

VUPEN
http://www.vupen.com/english/advisories/2009/2893

CVE Name
CVE-2009-2515
CVE-2009-2516
CVE-2009-2517

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91-11-2436857

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
Electronics Niketan
6, CGO Complex, Lodhi Road,
New Delhi - 110 003
India