Check Point Advisories

Microsoft Windows ISATAP IPv6 Source Address Spoofing (CVE-2010-0812)

Vulnerability
Protection

Check Point Reference:	SBP-2010-17
Date Published:	25 Apr 2010
Severity:	Medium
Last Updated:	Monday 15 August, 2016
Source:
Industry Reference:	CVE-2010-0812
Protection Provided by:	Security Gateway R81, R80, R77, R75, R71, R70, R65
Who is Vulnerable?
Vulnerability Description	The Intra-Site Automatic Tunnel Addressing Protocol (ISATAP) provides IPv6 connectivity within an IPv4 Intranet. A spoofing vulnerability has been reported in Microsoft Windows due to the way that Windows checks the inner packet's IPv6 source address in a tunneled ISATAP packet. The vulnerability is due to an error in the Windows TCP/IP stack that fails properly check the source IPv6 address in a tunneled ISATAP packet. An attacker may exploit this vulnerability by creating network packets with a specially crafted IPv6 source address in an ISATAP connection that does not match the corresponding IPv4 source address. Successful exploitation of this spoofing vulnerability may allow attackers to impersonate an IP address in order to bypass edge or host firewalls.

Protection Overview

This protection will detect and block malformed IPv6 encapsulated packets where the IPV4 source address does not match the IPV6 source address.

In order for the protection to be activated, update your Security Gateway product to the latest IPS update. For information on how to update IPS, go to SBP-2006-05, click on Protection tab and select the version of your choice.

Security Gateway R80 / R77 / R75 / R71 / R70 / R65

In the IPS tab, click Protections and find the Microsoft Windows ISATAP IPv6 Source Address Spoofing protection using the Search tool and Edit the protection's settings.
Install policy on all Security Gateways.

This protection's log will contain the following information:

Attack Name: ICMP Protocol Violation.
Attack Information: Microsoft Windows ISATAP IPv6 source address spoofing