SecuriTeam - Vulnerabilities in Pragmatic General Multicast (PGM) Allows Denial of Service (MS08-036)

Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus

Ask the Team
Mailing Lists
Advertising Info
Advisories
About SecuriTeam
Blogs

Brought to you by:

Suppliers of:

SecuriTeam in Your Inbox

New vulnerability?
New tool?
Tell us
(Our PGP key).

CanSecWest 2012

2nd Annual Cyber Security

Hack In Paris

This security update resolves two privately reported vulnerabilities in the Pragmatic General Multicast (PGM) protocol that could allow a denial of service if malformed PGM packets are received by an affected system. An attacker who successfully exploited this vulnerability could cause a user s system to become non-responsive and to require a restart to restore functionality. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests.

This security update is rated Important for all supported editions of Windows XP and Windows Server 2003 and rated Moderate for all supported editions of Windows Vista and Windows Server 2008. For more information, see the subsection, Affected and Non-Affected Software, in this section.

Credit:
The information has been provided by Microsoft Product Security.
The original article can be found at: http://www.microsoft.com/technet/security/bulletin/ms08-036.mspx

Website Security Scan	Code Vulnerability Test	Network Assessment Tool
Detect hidden vulnerabilities	Exhaustive automated testing	Real-time, continuous security
Get guidance from professionals	of internal or 3rd party code.	scanning for your entire network

Protect your website!
Use an External Vulnerability Scanner!
Nothing to install. First report in 1 hour!
www.beyondsecurity.com/vulnerability-scanner

Affected Software:
* Windows XP Service Pack 2 - Denial of Service - Important - MS06-052
* Windows XP Service Pack 3 - Denial of Service - Important - None
* Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 - Denial of Service - Important - None
* Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 - Denial of Service - Important - None
* Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 - Denial of Service - Important - None
* Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems - Denial of Service - Important - None
* Windows Vista and Windows Vista Service Pack 1 - Denial of Service - Moderate - None
* Windows Vista x64 Edition and Windows Vista x64 Edition Service Pack 1 - Denial of Service - Moderate - None
* Windows Server 2008 for 32-bit Systems* - Denial of Service - Moderate - None
* Windows Server 2008 for x64-based Systems* - Denial of Service - Moderate - None
* Windows Server 2008 for Itanium-based Systems - Denial of Service - Moderate - None

*Supported editions of Windows Server 2008 are not affected if installed using the Server Core installation option. For more information on this installation option, see Server Core. Note that the Server Core installation option does not apply to certain editions of Windows Server 2008; see Compare Server Core Installation Options.

Non-Affected Software:
* Windows 2000 Service Pack 4

PGM Invalid Length Vulnerability - CVE-2008-1440
A denial of service vulnerability exists in implementations of the Pragmatic General Multicast (PGM) protocol on Microsoft Windows XP and Windows Server 2003. The vulnerability is due to improper validation of specially crafted PGM packets. An attacker who successfully exploited this vulnerability could cause the computer to become non-responsive and require a restart to restore functionality.

CVE Information:
CVE-2008-1440

PGM Malformed Fragment Vulnerability - CVE-2008-1441
A denial of service vulnerability exists in implementations of the Pragmatic General Multicast (PGM) protocol on Microsoft Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008. The protocol s parsing code does not properly validate specially crafted PGM fragments and will cause the affected system to become non-responsive until the attack has ceased.

CVE Information:
CVE-2008-1441

blog comments powered by Disqus

	Novell Zenworks Software Packaging LaunchHelp.dll Code Execution Vulnerability
	Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability
	Microsoft Internet Explorer swapNode Handling Code Execution Vulnerability
	Microsoft Internet Explorer Select Element Insufficient Type Checking Code Execution Vulnerability
	Internet Explorer Select Element Cache Code Execution Vulnerability
	Microsoft Office Graph DataFormat Signed Index Code Execution Vulnerability
	Microsoft Office Excel Conditional Expression Ptg Type Confusion Vulnerability
	Microsoft Internet Explorer Protected Mode Bypass Vulnerability
	Microsoft Internet Explorer 9 STYLE Object Parsing Code Execution Vulnerability
	Microsoft Internet Explorer XSLT SetViewSlave Code Execution Vulnerability
	CA Total Defense Suite Gateway Security Malformed HTTP Packet Code Execution Vulnerability
	HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Code Execution Vulnerability
	TrendMicro Control Manager CASProcessor.exe BLOB Code Execution Vulnerability
	Symantec Veritas Storage Foundation vxsvc.exe Unicode Code Execution Vulnerability
	HP iNode Management Center iNodeMngChecker.exe Code Execution Vulnerability