Vulnerability Detail

Microsoft Windows IPSec default filter vulnerability

Date Discovered:
19 May 2004

Date Published:
31 May 2004

Last Updated:
18 Oct 2004

Threat Assessment

Overall Risk: Medium

Popularity : High

Impact: Medium

Simplicity: Low

Characteristics

Vulnerability ID: 28350
Discovered By: JJ Gray

Exploitable Locally: No
Exploitable Remotely: Yes

Impact: Remote attackers can bypass IPSec filtering.

Root Cause: Software Vulnerability

Description

Recommendations

Affected Technologies

References

Description

Microsoft Windows contains a vulnerability that can allow an attacker to bypass IPSec filters. The vulnerability is due to a default setting that permits UDP and TCP packets with a source port of 88 to any destination port on the IPSec host. Additionally, packets with a source and destination of port 500, RSVP traffic, multicast traffic, and broadcast traffic are permitted by default. Attackers can bypass the IPSec filter to access the IPSec enabled host. Note: While IPSec does have the capability to filter traffic, it is not meant to be a replacement for a host based firewall.

Recommendations

Windows 2000:
Apply Service Pack 4 or add a NoDefaultExempt key to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC registry key.

Windows XP:
Add the NoDefaultExempt key to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC registry key.

Click Start -> click Run-> type regedit, and then click OK.

Open the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\IPSEC key

Right-click IPSEC -> New -> DWORD Value.
Name this new entry NoDefaultExempt.

Change the value of the NoDefaultExempt key from 0 to 1.

Quit Registry Editor.

Reboot

Vendor KB article(s):
http://support.microsoft.com/default.aspx?scid=kb;EN-US;811832

Affected Technologies

Microsoft: Microsoft Windows 2000 Advanced Server SP1 x86 32 EN
Microsoft: Microsoft Windows 2000 Advanced Server SP2 x86 32 EN
Microsoft: Microsoft Windows 2000 Advanced Server SP3 x86 32 EN
Microsoft: Microsoft Windows 2000 Advanced Server x86 32 EN
Microsoft: Microsoft Windows 2000 Professional SP1 x86 32 EN
Microsoft: Microsoft Windows 2000 Professional SP2 x86 32 EN
Microsoft: Microsoft Windows 2000 Professional SP3 x86 32 EN
Microsoft: Microsoft Windows 2000 Professional x86 32 EN
Microsoft: Microsoft Windows 2000 Server SP1 x86 32 EN
Microsoft: Microsoft Windows 2000 Server SP2 x86 32 EN
Microsoft: Microsoft Windows 2000 Server SP3 x86 32 EN
Microsoft: Microsoft Windows 2000 Server x86 32 EN
Microsoft: Microsoft Windows XP Home Edition SP1 x86 32 EN
Microsoft: Microsoft Windows XP Home Edition x86 32 EN
Microsoft: Microsoft Windows XP Professional SP1 x86 32 EN
Microsoft: Microsoft Windows XP Professional x86 32 EN

References

Mitre CVE: CVE-2002-2270

CA Global Security Advisor

Current threat condition: Low

Documents and Tools

Find Threats

Viruses Spyware
Vulnerabilities All

Page Tools