Check Point Advisories

Microsoft Web Services on Devices API Memory Corruption (MS09-063; CVE-2009-2512)

Vulnerability
Protection

Check Point Reference:	CPAI-2009-280
Date Published:	10 Nov 2009
Severity:	Critical
Last Updated:	Sunday 03 May, 2015
Source:
Industry Reference:	CVE-2009-2512
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description	The WSDAPI is an implementation of the Devices Profile for Web Services (DPWS) for Windows Vista and Windows Server 2008. The DPWS constrains Web Services specifications so that clients can easily discover devices. A remote code execution vulnerability has been reported in the Web Service on Devices API (WSDAPI) on Windows systems.The vulnerability is due to an error in the WSDAPI process that fails to correctly validate the MIME header of a received WSDAPI message. A remote attacker can exploit this issue by sending a specially crafted MIME message to the WSD services on an affected system. Successful exploitation of this vulnerability could allow the attacker to execute arbitrary code on a target system.

Protection Overview

This protection will detect and block specially crafted MIME messages sent to the vulnerable services.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

In the IPS tab, click Protections and find the Microsoft Web Services on Devices API Memory Corruption (MS09-063) protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: Windows SMB Protection Violation.
Attack Information: Web Services on devices API memory corruption (MS09-063)