Vulnerabilities > CVE-2008-1437 - Resource Management Errors vulnerability in Microsoft products

047910
CVSS 5.0 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
NONE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
PARTIAL
network
low complexity
microsoft
CWE-399
nessus
NVD
Published: 2008-05-13
Updated: 2018-10-12

Summary

Unspecified vulnerability in Microsoft Malware Protection Engine (mpengine.dll) 1.1.3520.0 and 0.1.13.192, as used in multiple Microsoft products, allows context-dependent attackers to cause a denial of service (engine hang and restart) via a crafted file, a different vulnerability than CVE-2008-1438.

Vulnerable Configurations

Part Description Count
Application
Microsoft
10

Common Weakness Enumeration (CWE)

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS08-029.NASL
descriptionThe remote host is running a version of Windows Malware Protection engine that is vulnerable to a bug in the file handling routine which could allow an attacker to crash the protection engine.
last seen2020-06-01
modified2020-06-02
plugin id32313
published2008-05-13
reporterThis script is Copyright (C) 2008-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/32313
titleMS08-029: Vulnerabilities in Microsoft Malware Protection Engine Could Allow Denial of Service (952044)
code
#
# (C) Tenable Network Security, Inc.
#

include("compat.inc");

if (description)
{
 script_id(32313);
 script_version("1.24");
 script_cvs_date("Date: 2018/11/15 20:50:30");

 script_cve_id("CVE-2008-1437","CVE-2008-1438");
 script_bugtraq_id(29060, 29073);
 script_xref(name:"MSFT", value:"MS08-029");
 script_xref(name:"MSKB", value:"952044");

 script_name(english:"MS08-029: Vulnerabilities in Microsoft Malware Protection Engine Could Allow Denial of Service (952044)");
 script_summary(english:"Determines the version of Malware Protection Engine.");

 script_set_attribute(attribute:"synopsis", value:
"It is possible to crash the antimalware program.");
 script_set_attribute(attribute:"description", value:
"The remote host is running a version of Windows Malware Protection
engine that is vulnerable to a bug in the file handling routine which
could allow an attacker to crash the protection engine.");
 script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2008/ms08-029");
 script_set_attribute(attribute:"solution", value:
"Microsoft has released a set of patches for Windows Defender and Live
OneCare.");
 script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:N/I:N/A:P");
 script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
 script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
 script_set_attribute(attribute:"exploit_available", value:"false");
 script_cwe_id(399);

 script_set_attribute(attribute:"vuln_publication_date", value:"2008/05/13");
 script_set_attribute(attribute:"patch_publication_date", value:"2008/05/13");
 script_set_attribute(attribute:"plugin_publication_date", value:"2008/05/13");

 script_set_attribute(attribute:"plugin_type", value:"local");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:windows_defender");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:windows_live_onecare");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:antigen");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:forefront_client_security");
 script_set_attribute(attribute:"cpe", value:"cpe:/a:microsoft:forefront_security");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);

 script_copyright(english:"This script is Copyright (C) 2008-2018 Tenable Network Security, Inc.");
 script_family(english:"Windows : Microsoft Bulletins");

 script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
 script_require_keys("SMB/MS_Bulletin_Checks/Possible");
 script_require_ports(139, 445, 'Host/patch_management_checks');
 exit(0);
}

include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("smb_reg_query.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS08-029';
kbs = make_list("952044");
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);

if (hotfix_check_sp_range(xp:'0,2', vista:'0,1') <= 0) audit(AUDIT_OS_SP_NOT_VULN);
productname = get_kb_item_or_exit("SMB/ProductName", exit_code:1);
if ('XP' >!< productname && 'Vista' >!< productname) exit(0, "The host is running " + productname + " and hence is not affected.");

registry_init();
hklm = registry_hive_connect(hive:HKEY_LOCAL_MACHINE, exit_on_fail:TRUE);

keys = make_list (
	"SOFTWARE\Microsoft\Windows Defender\Signature Updates",
	"SOFTWARE\Microsoft\OneCare Protection\Signature Updates"
);

kb = '952044';
foreach key (keys)
{
  version = NULL;
  version = get_registry_value(handle:hklm, item:key + "\EngineVersion");

  if (!isnull(version))
  {
    if (ver_compare(ver:version, fix:'1.1.3520', strict:FALSE) < 0)
    {
      RegCloseKey(handle:hklm);
      set_kb_item(name:"SMB/Missing/MS08-029", value:TRUE);
      hotfix_add_report(bulletin:bulletin, kb:kb);
      hotfix_security_warning();
      hotfix_check_fversion_end();
      exit(0);
    }
  }
}
RegCloseKey(handle:hklm);
hotfix_check_fversion_end();
audit(AUDIT_HOST_NOT, 'affected');

Oval

accepted2012-01-16T04:00:46.641-05:00
classvulnerability
contributors
nameSecPod Team
organizationSecPod Technologies
definition_extensions
  • commentMicrosoft Windows Live OneCare is installed
    ovaloval:org.mitre.oval:def:14185
  • commentMicrosoft Windows Defender is installed
    ovaloval:org.mitre.oval:def:14263
  • commentMicrosoft Forefront Security for SharePoint is installed
    ovaloval:org.mitre.oval:def:14529
  • commentMicrosoft Forefront Security for Exchange Server is installed
    ovaloval:org.mitre.oval:def:14468
  • commentMicrosoft Antigen for Exchange is installed
    ovaloval:org.mitre.oval:def:14520
  • commentMicrosoft Antigen for SMTP Gateway is installed
    ovaloval:org.mitre.oval:def:14251
descriptionUnspecified vulnerability in Microsoft Malware Protection Engine (mpengine.dll) 1.1.3520.0 and 0.1.13.192, as used in multiple Microsoft products, allows context-dependent attackers to cause a denial of service (engine hang and restart) via a crafted file, a different vulnerability than CVE-2008-1438.
familywindows
idoval:org.mitre.oval:def:13981
statusaccepted
submitted2011-12-09T18:23:43
titleMicrosoft Malware Protection Engine Vulnerability-I
version9

Seebug

  • bulletinFamilyexploit
    descriptionBUGTRAQ ID: 29060,29073 CVE(CAN) ID: CVE-2008-1437,CVE-2008-1438 Microsoft恶意软件保护引擎可为防病毒和反间谍软件客户端提供扫描、监测和清除功能。 Microsoft恶意软件保护引擎处理特制文件的方式中存在拒绝服务漏洞,攻击者可以通过建立特制文件来利用此漏洞,当目标计算机系统接收或Microsoft恶意软件保护引擎扫描到此文件时,就可能导致Microsoft恶意软件保护引擎停止响应和自动重新启动,或耗尽所有磁盘空间 0 Microsoft Windows Live OneCare Microsoft Antigen for SMTP Gateway Microsoft Antigen for Exchange Microsoft Windows Defender Microsoft Forefront Security for SharePoint Microsoft Forefront Security for Exchange Server Microsoft Forefront Client Security Microsoft Diagnostics and Recovery Toolset 6.x 临时解决方法: * 在同一系统上,Microsoft Forefront Security for Exchange Server、Microsoft Forefront Security for SharePoint 和Microsoft Antigen除了支持Microsoft恶意软件保护引擎外还支持多种引擎。如果受影响系统上有多个引擎可用,管理员可以禁用恶意软件保护引擎,直到可以更新Microsoft恶意软件保护引擎。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS08-029)以及相应补丁: MS08-029:Vulnerabilities in Microsoft Malware Protection Engine Could Allow Denial of Service (952044) http://www.microsoft.com/technet/security/bulletin/ms08-029.mspx?pf=true
    idSSV:3291
    last seen2017-11-19
    modified2008-05-17
    published2008-05-17
    reporterRoot
    titleMicrosoft恶意软件保护引擎多个拒绝服务漏洞(MS08-029)
  • bulletinFamilyexploit
    descriptionCVE-2008-1437 CVE-2008-1438 There are two vulnerabilities idenitified in Microsoft Antivirus product. These vulnerabilities can be exploited to cause Denial of service. 1. CVE-2008-1437 PE Parsing Memory Corruption While scanning a specially crafted PE file, Malware orotection engine (MsMpEng.exe/mpengine.dll for Windows Live OneCare) will crash. Currently, There's no evidence of code execution found. Please note that this vulnerability can be triggered in various ways: a. by sending emails to target mail server which is protected by MS antivirus b. by sending emails to victim who is using Windows Onecare or Windows Defender. c. by convining the victim to visit some websites. d. by sending files (can be any extension) to victims through P2P/IM. Real Time protection is enabled by default, so in the case b&amp;c, the vulnerability can be exploited without any further user interaction after the victim recieved the email or opened the website. 2. CVE-2008-1438 PE Parsing Disk Space D.o.S While parsing a specially crafted file with a malformed &quot;size of header&quot; is scanned by Microsoft Windows OneCare, there will be Disk Space DOS condition. Microsoft Malware protection engine will allocate disk space as much as the PE file &quot;claimed&quot;, It can &quot;eat&quot; several Gb disk space of Windows installation driver. Windows Live OneCare Microsoft Antigen for Exchange Microsoft Antigen for SMTP Gateway Microsoft Windows Defender Microsoft Forefront Client Security Microsoft Forefront Security for Exchange Server Microsoft Forefront Security for SharePoint Standalone System Sweeper located in Diagnostics and Recovery Toolset 6.0 Microsoft has released an update address this issue. <a href=http://www.microsoft.com/technet/security/Bulletin/MS08-029.mspx target=_blank>http://www.microsoft.com/technet/security/Bulletin/MS08-029.mspx</a>
    idSSV:3606
    last seen2017-11-19
    modified2008-07-13
    published2008-07-13
    reporterRoot
    titleMicrosoft Malware Protection Engine TWO DoS Vulnerabilities

References