There is an information disclosure vulnerability in Windows Vista that could allow a remote anonymous attacker to send inbound network traffic to the affected system. It would be possible for the attacker to gain information about the system over the network.
Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factor may be helpful in your situation:
• The vulnerability is restricted to only allow attacker to gain system information about the affected system. Valid user credentials would be required to access additional services or local resources.
• In Windows Vista, if the network profile is set to “Public”, the system is not affected by this vulnerability.
Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:
•
Disable Teredo
You can help protect against this vulnerability by disabling the Teredo transport mechanism. This prevents Teredo from being used as a transport or mechanism to traverse the NAT. To do this, run the following command as an administrator:
Netsh int ter set st disable
• Disable Teredo by modifying the registry.
Teredo can also be disabled by modifying the Windows registry. Create the following registry value to disable Teredo as a transport mechanism.
Note Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in Regedt32.exe
1. Start, click Run, type “regedit" (without the quotation marks), and then click OK.
2. Navigate to the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\tcpip6\Parameters\
3. Right click on the DisabledComponents key and select Modify.
4.Set the value to 0x8 to disable Teredo.
Impact of Workaround: If you disable Teredo, depending on network configuration, applications that use the Teredo interface will not function or be accessible.
• Block inbound and outbound Teredo UDP traffic using a Windows Vista Firewall setting.
A custom firewall rule can be created that blocks all Teredo related traffic from communicating with the affected system. To do this, follow these steps:
1.Click Control Panel, click Classic View.
2.Click Administrative Tools and then Double-click Windows Firewall with Advanced Security.
3.Select Inbound Rules.
4.Select CoreNetworking - Teredo (UDP-In).
5.Right click, select Properties.
6.Select “Block the connections”.
7.Select Outbound Rules.
8.Select Core Networking - Teredo (UDP-Out).
9.Right click, select Properties.
10Select “Block the connections”.
Impact of Workaround: If you block Teredo network traffic using the custom Windows Firewall rule, applications that use the Teredo interface will not function properly or be accessible.
•
Block Teredo UDP outbound traffic on perimeter firewalls.
Blocking all outbound UDP traffic destined to port 3544 at the network perimeter will disallow affected Vista systems from communicating with external attempts to exploit the vulnerability.
Impact of Workaround:Depending on network configuration, applications that use the Teredo interface will not function or be accessible outside of the network perimeter.
Top of sectionTop of section
What is the scope of the vulnerability?
This is an information disclosure vulnerability. An attacker who successfully exploited this vulnerability could gain information about the vulnerable system and be able to identify it’s existence on the network.
What causes the vulnerability
On Windows Vista, network traffic is handled incorrectly through the Teredo interface which causes some firewall rules to by bypassed.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could bypass some of the firewall rules of an affected system.
How could an attacker exploit the vulnerability?
An attacker could remotely activate the Teredo interface under certain configuration scenarios or would have to convince a user to click a link containing a Teredo network address on a Web site, in an e-mail message or Instant Messenger message. Clicking the link would cause Teredo to enter an active state and subsequently cause the affected host to initiate communications with the attacker. This would then allow the attacker to know the target’s Teredo network address which could then be used to send communications to the host that are not blocked by the local Windows Vista firewall. Additionally, as Teredo facilitates network tunneling once a connection is established with an attacker, it would also be possible for the communications to potentially bypass network perimeter firewalls.
What is Teredo?
Teredo is an IPv6 transition technology that provides address assignment and host-to-host automatic tunneling for unicast IPv6 traffic when IPv6/IPv4 hosts are located behind one or multiple IPv4 network address translators (NATs). To traverse IPv4 NATs, IPv6 packets are sent as IPv4-based User Datagram Protocol (UDP) messages. See the TechNet Web site for more information regarding the Teredo service.
Could the vulnerability be exploited over the Internet?
Yes, this vulnerability could be exploited over the internet once a user has clicked on specially crafted link containing an IPv6 address causing the Teredo interface to be activated.
What systems are primarily at risk from the vulnerability?
Any Windows Vista system where the network profile is not set to “Public” could be at risk from this vulnerability. Windows Vista systems that use Remote Assistance or Meeting Space may be at more risk because these applications automatically place Teredo in an active state.
What does the update do?
The update modifies the Windows Vista firewall and core network components to ensure that the default behavior is to block unsolicited traffic over the Teredo interface.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
link
http://technet.microsoft.com/en-us/library/cc875811.aspx
.jpg){kind=small}
No comments:
Post a Comment