Vulnerabilities > CVE-2009-3675 - Resource Management Errors vulnerability in Microsoft Windows 2000, Windows 2003 Server and Windows XP

047910
CVSS 6.8 - MEDIUM
Attack vector
NETWORK
Attack complexity
LOW
Privileges required
SINGLE
Confidentiality impact
NONE
Integrity impact
NONE
Availability impact
COMPLETE
network
low complexity
microsoft
CWE-399
nessus

Summary

LSASS.exe in the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 allows remote authenticated users to cause a denial of service (CPU consumption) via a malformed ISAKMP request over IPsec, aka "Local Security Authority Subsystem Service Resource Exhaustion Vulnerability."

Common Weakness Enumeration (CWE)

Msbulletin

bulletin_idMS09-069
bulletin_url
date2009-12-08T00:00:00
impactDenial of Service
knowledgebase_id974392
knowledgebase_url
severityImportant
titleVulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service

Nessus

NASL familyWindows : Microsoft Bulletins
NASL idSMB_NT_MS09-069.NASL
descriptionThe version of LSASS running on the remote host improperly handles specially crafted ISAKMP messages communicated through IPsec, causing the system to consume excessive amounts of CPU resources. A remote, authenticated attacker could exploit this to cause a denial of service.
last seen2020-06-01
modified2020-06-02
plugin id43061
published2009-12-08
reporterThis script is Copyright (C) 2009-2018 Tenable Network Security, Inc.
sourcehttps://www.tenable.com/plugins/nessus/43061
titleMS09-069: Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)
code
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");


if (description)
{
  script_id(43061);
  script_version("1.19");
  script_cvs_date("Date: 2018/11/15 20:50:30");

  script_cve_id("CVE-2009-3675");
  script_bugtraq_id(37218);
  script_xref(name:"MSFT", value:"MS09-069");
  script_xref(name:"MSKB", value:"974392");
  script_xref(name:"IAVB", value:"2009-B-0064");

  script_name(english:"MS09-069: Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392)");
  script_summary(english:"Checks version of oakley.dll");

  script_set_attribute(attribute:"synopsis", value:"The remote Windows host has a denial of service vulnerability.");
  script_set_attribute(
    attribute:"description",
    value:
"The version of LSASS running on the remote host improperly handles
specially crafted ISAKMP messages communicated through IPsec, causing
the system to consume excessive amounts of CPU resources.  A remote,
authenticated attacker could exploit this to cause a denial of service."
  );
  script_set_attribute(attribute:"see_also", value:"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2009/ms09-069");
  script_set_attribute(
    attribute:"solution",
    value:
"Microsoft has released a set of patches for Windows 2000, XP, and
2003."
  );
  script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:S/C:N/I:N/A:C");
  script_set_cvss_temporal_vector("CVSS2#E:U/RL:OF/RC:C");
  script_set_attribute(attribute:"exploitability_ease", value:"No known exploits are available");
  script_set_attribute(attribute:"exploit_available", value:"false");
  script_cwe_id(399);

  script_set_attribute(attribute:"vuln_publication_date", value:"2009/12/08");
  script_set_attribute(attribute:"patch_publication_date", value:"2009/12/08");
  script_set_attribute(attribute:"plugin_publication_date", value:"2009/12/08");

  script_set_attribute(attribute:"plugin_type", value:"local");
  script_set_attribute(attribute:"cpe", value:"cpe:/o:microsoft:windows");
  script_set_attribute(attribute:"stig_severity", value:"II");
  script_end_attributes();

  script_category(ACT_GATHER_INFO);
  script_family(english:"Windows : Microsoft Bulletins");

  script_copyright(english:"This script is Copyright (C) 2009-2018 Tenable Network Security, Inc.");

  script_dependencies("smb_hotfixes.nasl", "ms_bulletin_checks_possible.nasl");
  script_require_keys("SMB/MS_Bulletin_Checks/Possible");
  script_require_ports(139, 445, 'Host/patch_management_checks');

  exit(0);
}


include("audit.inc");
include("smb_func.inc");
include("smb_hotfixes.inc");
include("smb_hotfixes_fcheck.inc");
include("misc_func.inc");

get_kb_item_or_exit("SMB/MS_Bulletin_Checks/Possible");

bulletin = 'MS09-069';
kb = '974392';

kbs = make_list(kb);
if (get_kb_item("Host/patch_management_checks")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_WARNING);


get_kb_item_or_exit("SMB/Registry/Enumerated");
get_kb_item_or_exit("SMB/WindowsVersion", exit_code:1);

if (hotfix_check_sp_range(win2k:'4,5', xp:'2,3', win2003:'2') <= 0) audit(AUDIT_OS_SP_NOT_VULN);

rootfile = hotfix_get_systemroot();
if (!rootfile) exit(1, "Failed to get the system root.");

share = hotfix_path2share(path:rootfile);
if (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);

if (
  # Windows 2k3 / XP SP2 x64
  hotfix_is_vulnerable(os:"5.2", file:"Oakley.dll", version:"5.2.3790.4600", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows XP x86
  hotfix_is_vulnerable(os:"5.1", sp:2, arch:"x86",  file:"Oakley.dll", version:"5.1.2600.3632", dir:"\system32", bulletin:bulletin, kb:kb) ||
  hotfix_is_vulnerable(os:"5.1", sp:3, arch:"x86",  file:"Oakley.dll", version:"5.1.2600.5886", dir:"\system32", bulletin:bulletin, kb:kb) ||

  # Windows 2k
  hotfix_is_vulnerable(os:"5.0", file:"Oakley.dll", version:"5.0.2195.7343",    dir:"\system32", bulletin:bulletin, kb:kb)
)
{
  set_kb_item(name:"SMB/Missing/"+bulletin, value:TRUE);
  hotfix_security_warning();
  hotfix_check_fversion_end();
  exit(0);
}
else
{
  hotfix_check_fversion_end();
  audit(AUDIT_HOST_NOT, 'affected');
}

Oval

accepted2010-01-18T04:00:13.327-05:00
classvulnerability
contributors
nameJ. Daniel Brown
organizationDTCC
definition_extensions
  • commentMicrosoft Windows 2000 SP4 or later is installed
    ovaloval:org.mitre.oval:def:229
  • commentMicrosoft Windows XP (x86) SP2 is installed
    ovaloval:org.mitre.oval:def:754
  • commentMicrosoft Windows XP (x86) SP3 is installed
    ovaloval:org.mitre.oval:def:5631
  • commentMicrosoft Windows XP x64 Edition SP2 is installed
    ovaloval:org.mitre.oval:def:4193
  • commentMicrosoft Windows Server 2003 SP2 (x86) is installed
    ovaloval:org.mitre.oval:def:1935
  • commentMicrosoft Windows Server 2003 SP2 (x64) is installed
    ovaloval:org.mitre.oval:def:2161
  • commentMicrosoft Windows Server 2003 (ia64) SP2 is installed
    ovaloval:org.mitre.oval:def:1442
descriptionLSASS.exe in the Local Security Authority Subsystem Service (LSASS) in Microsoft Windows 2000 SP4, XP SP2 and SP3, and Server 2003 SP2 allows remote authenticated users to cause a denial of service (CPU consumption) via a malformed ISAKMP request over IPsec, aka "Local Security Authority Subsystem Service Resource Exhaustion Vulnerability."
familywindows
idoval:org.mitre.oval:def:6639
statusaccepted
submitted2009-12-09T17:00:00
titleLocal Security Authority Subsystem Service Resource Exhaustion Vulnerability
version69

Seebug

bulletinFamilyexploit
descriptionBUGTRAQ ID: 37218 CVE ID: CVE-2009-3675 Microsoft Windows是微软发布的非常流行的操作系统。 Windows系统上的本地安全权威子系统服务(LSASS)没有正确地处理特制的ISAKMP消息,如果通过认证的远程攻击者在通过IPSEC协议与受影响系统上的LSASS通讯期间发送了特制的ISAKMP消息,就可以耗尽系统资源。 Microsoft Windows XP SP3 Microsoft Windows XP SP2 Microsoft Windows Server 2003 SP2 Microsoft Windows 2000 Server SP4 临时解决方法: * 禁用IPSec服务。 厂商补丁: Microsoft --------- Microsoft已经为此发布了一个安全公告(MS09-069)以及相应补丁: MS09-069:Vulnerability in Local Security Authority Subsystem Service Could Allow Denial of Service (974392) 链接:http://www.microsoft.com/technet/security/Bulletin/MS09-069.mspx?pf=true
idSSV:15040
last seen2017-11-19
modified2009-12-12
published2009-12-12
reporterRoot
titleMicrosoft Windows LSASS服务ISAKMP消息远程拒绝服务漏洞(MS09-069)