ID

VAR-200805-0218


CVE

CVE-2008-1438


TITLE

Microsoft Malware Protection Engine Service disruption related to temporary file creation (DoS) Vulnerabilities

Trust: 0.8

sources: JVNDB: JVNDB-2008-001358

DESCRIPTION

Unspecified vulnerability in Microsoft Malware Protection Engine (mpengine.dll) 1.1.3520.0 and 0.1.13.192, as used in multiple Microsoft products, allows context-dependent attackers to cause a denial of service (disk space exhaustion) via a file with "crafted data structures" that trigger the creation of large temporary files, a different vulnerability than CVE-2008-1437. (DoS) There is a vulnerability that becomes a condition.The processing of a file crafted by a third party can create a large temporary file that can run out of disk space. Attackers can exploit this issue to cause an affected computer to stop responding or to restart. Successful attacks will deny service to legitimate users. ---------------------------------------------------------------------- Secunia Network Software Inspector 2.0 (NSI) - Public Beta The Public Beta has ended. Thanks to all that participated. PROVIDED AND/OR DISCOVERED BY: The vendor credits SoWhat, Nevis Labs. ORIGINAL ADVISORY: MS08-029 (KB952044): http://www.microsoft.com/technet/security/Bulletin/MS08-029.mspx ---------------------------------------------------------------------- About: This Advisory was delivered by Secunia as a free service to help everybody keeping their systems up to date against the latest vulnerabilities. Subscribe: http://secunia.com/secunia_security_advisories/ Definitions: (Criticality, Where etc.) http://secunia.com/about_secunia_advisories/ Please Note: Secunia recommends that you verify all advisories you receive by clicking the link. Secunia NEVER sends attached files with advisories. Secunia does not advise people to install third party patches, only use those supplied by the vendor. ---------------------------------------------------------------------- Unsubscribe: Secunia Security Advisories http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org ---------------------------------------------------------------------- . Microsoft Malware Protection Engine TWO DoS Vulnerabilities By Sowhat of Nevis Labs Date: 2008.05.14 http://www.nevisnetworks.com http://secway.org/advisory/AD20080514.txt CVE: CVE-2008-1437 CVE-2008-1438 Vendor Microsoft Affected: Windows Live OneCare Microsoft Antigen for Exchange Microsoft Antigen for SMTP Gateway Microsoft Windows Defender Microsoft Forefront Client Security Microsoft Forefront Security for Exchange Server Microsoft Forefront Security for SharePoint Standalone System Sweeper located in Diagnostics and Recovery Toolset 6.0 Details: There are two vulnerabilities idenitified in Microsoft Antivirus product. These vulnerabilities can be exploited to cause Denial of service. 1. CVE-2008-1437 PE Parsing Memory Corruption While scanning a specially crafted PE file, Malware orotection engine (MsMpEng.exe/mpengine.dll for Windows Live OneCare) will crash. Currently, There's no evidence of code execution found. Please note that this vulnerability can be triggered in various ways: a. by sending emails to target mail server which is protected by MS antivirus b. by sending emails to victim who is using Windows Onecare or Windows Defender. c. by convining the victim to visit some websites. d. by sending files (can be any extension) to victims through P2P/IM. Real Time protection is enabled by default, so in the case b&c, the vulnerability can be exploited without any further user interaction after the victim recieved the email or opened the website. 2. Proof of Concept: No POC will be released. Fix: Microsoft has released an update address this issue. http://www.microsoft.com/technet/security/Bulletin/MS08-029.mspx Vendor Response: 2008.04.18 Vendor notified via email 2008.04.18 Vendor response, developing for patch 2008.05.14 Patch Release 2008.05.14 Advisory released -- Sowhat http://secway.org "Life is like a bug, Do you know how to exploit it ?" . The most severe vulnerabilities could allow a remote, unauthenticated attacker to execute arbitrary code. II. Impact A remote, unauthenticated attacker could execute arbitrary code, gain elevated privileges, or cause a denial of service. III. Solution Apply updates from Microsoft Microsoft has provided updates for these vulnerabilities in the May 2008 Security Bulletin Summary. The security bulletin describes any known issues related to the updates. Administrators are encouraged to note these issues and test for any potentially adverse effects. Administrators should consider using an automated update distribution system such as Windows Server Update Services (WSUS). IV. References * US-CERT Vulnerability Notes for Microsoft May 2008 updates - <http://www.kb.cert.org/vuls/byid?searchview&query=ms08-may> * Microsoft Security Bulletin Summary for May 2008 - <http://www.microsoft.com/technet/security/bulletin/ms08-may.mspx> * Microsoft Update - <https://www.update.microsoft.com/microsoftupdate/> * Windows Server Update Services - <http://www.microsoft.com/windowsserversystem/updateservices/default.mspx> ____________________________________________________________________ The most recent version of this document can be found at: <http://www.us-cert.gov/cas/techalerts/TA08-134A.html> ____________________________________________________________________ Feedback can be directed to US-CERT Technical Staff. Please send email to <cert@cert.org> with "TA08-134A Feedback VU#534907" in the subject. ____________________________________________________________________ For instructions on subscribing to or unsubscribing from this mailing list, visit <http://www.us-cert.gov/cas/signup.html>. ____________________________________________________________________ Produced 2008 by US-CERT, a government organization. Terms of use: <http://www.us-cert.gov/legal.html> ____________________________________________________________________ Revision History May 13, 2008: Initial release -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.2.1 (GNU/Linux) iQEVAwUBSCnrE/RFkHkM87XOAQJAoAf/XrkJlT9AS30/CZwAMO9qta8TbtLQTZR3 /yAV/h2CmOKhFsbjdh8L4+GcP0n66twWhmMBfBs6BosOoaqqhkeJcE6JoyQ2Kso1 MnhXjPJuGtgEPcfYX9bg42rnZ5WDXGh9EuhoZVyUV4UeUQ8qRM8LL3OIWBHubE7R fcOqIVDz/qtCC1U+RUdrbdeV8XB48mshiLoWjxzOT0FzeOKsBwsyHzaO5mAeEy4E 1hsLC2u4idGlq9Ezl82XODyH6vtHBKq7yKDv+FkVHbCqwB+thqPkUo2es+amASra shcJggg39WWmPWphqnBz94rkdwitsvW3ymOWt1F27GecX1sveofLDQ== =rhf4 -----END PGP SIGNATURE-----

Trust: 2.34

sources: NVD: CVE-2008-1438 // JVNDB: JVNDB-2008-001358 // BID: 29073 // VULHUB: VHN-31563 // VULMON: CVE-2008-1438 // PACKETSTORM: 66305 // PACKETSTORM: 66402 // PACKETSTORM: 66311

AFFECTED PRODUCTS

vendor:microsoftmodel:malware protection enginescope:eqversion:0.1.13.192

Trust: 1.6

vendor:microsoftmodel:malware protection enginescope:eqversion:1.1.3520.0

Trust: 1.6

vendor:microsoftmodel:diagnostics and recovery toolkitscope:eqversion:6.0

Trust: 1.6

vendor:microsoftmodel:forefront client securityscope: - version: -

Trust: 1.4

vendor:microsoftmodel:windows defenderscope: - version: -

Trust: 1.4

vendor:microsoftmodel:windows live onecarescope: - version: -

Trust: 1.4

vendor:microsoftmodel:antigen for exchangescope:eqversion:*

Trust: 1.0

vendor:microsoftmodel:windows defenderscope:eqversion:*

Trust: 1.0

vendor:microsoftmodel:forefront security for sharepointscope:eqversion:*

Trust: 1.0

vendor:microsoftmodel:forefront security for exchange serverscope:eqversion:*

Trust: 1.0

vendor:microsoftmodel:windows live onecarescope:eqversion:*

Trust: 1.0

vendor:microsoftmodel:forefront client securityscope:eqversion:*

Trust: 1.0

vendor:microsoftmodel:antigen for smtp gatewayscope:eqversion:*

Trust: 1.0

vendor:microsoftmodel:diagnostics and recovery toolsetscope:eqversion:6.0

Trust: 0.8

vendor:microsoftmodel:antigenscope:eqversion:for exchange

Trust: 0.8

vendor:microsoftmodel:antigenscope:eqversion:for smtp gateway

Trust: 0.8

vendor:microsoftmodel:forefront securityscope:eqversion:for exchange server

Trust: 0.8

vendor:microsoftmodel:forefront securityscope:eqversion:for sharepoint

Trust: 0.8

vendor:microsoftmodel:forefront security for exchange serverscope: - version: -

Trust: 0.6

vendor:microsoftmodel:antigen for exchangescope: - version: -

Trust: 0.6

vendor:microsoftmodel:forefront security for sharepointscope: - version: -

Trust: 0.6

vendor:microsoftmodel:antigen for smtp gatewayscope: - version: -

Trust: 0.6

vendor:microsoftmodel:windows live onecarescope:eqversion:0

Trust: 0.3

vendor:microsoftmodel:windows defender editionscope:eqversion:x640

Trust: 0.3

vendor:microsoftmodel:windows defenderscope:eqversion:0

Trust: 0.3

vendor:microsoftmodel:standalone system sweeperscope:eqversion:0

Trust: 0.3

vendor:microsoftmodel:forefront security for sharepoint serverscope:eqversion:1.0

Trust: 0.3

vendor:microsoftmodel:forefront security for exchange serverscope:eqversion:1.0

Trust: 0.3

vendor:microsoftmodel:forefront client securityscope:eqversion:0

Trust: 0.3

vendor:microsoftmodel:antigen for smtp gatewayscope:eqversion:9

Trust: 0.3

vendor:microsoftmodel:antigen for exchangescope:eqversion:9

Trust: 0.3

sources: BID: 29073 // JVNDB: JVNDB-2008-001358 // CNNVD: CNNVD-200805-119 // NVD: CVE-2008-1438

CVSS

SEVERITY

CVSSV2

CVSSV3

nvd@nist.gov: CVE-2008-1438
value: MEDIUM

Trust: 1.0

NVD: CVE-2008-1438
value: MEDIUM

Trust: 0.8

CNNVD: CNNVD-200805-119
value: MEDIUM

Trust: 0.6

VULHUB: VHN-31563
value: MEDIUM

Trust: 0.1

VULMON: CVE-2008-1438
value: MEDIUM

Trust: 0.1

nvd@nist.gov: CVE-2008-1438
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 1.9

VULHUB: VHN-31563
severity: MEDIUM
baseScore: 5.0
vectorString: AV:N/AC:L/AU:N/C:N/I:N/A:P
accessVector: NETWORK
accessComplexity: LOW
authentication: NONE
confidentialityImpact: NONE
integrityImpact: NONE
availabilityImpact: PARTIAL
exploitabilityScore: 10.0
impactScore: 2.9
acInsufInfo: NONE
obtainAllPrivilege: NONE
obtainUserPrivilege: NONE
obtainOtherPrivilege: NONE
userInteractionRequired: NONE
version: 2.0

Trust: 0.1

sources: VULHUB: VHN-31563 // VULMON: CVE-2008-1438 // JVNDB: JVNDB-2008-001358 // CNNVD: CNNVD-200805-119 // NVD: CVE-2008-1438

PROBLEMTYPE DATA

problemtype:CWE-399

Trust: 1.9

sources: VULHUB: VHN-31563 // JVNDB: JVNDB-2008-001358 // NVD: CVE-2008-1438

THREAT TYPE

remote

Trust: 0.7

sources: PACKETSTORM: 66311 // CNNVD: CNNVD-200805-119

TYPE

resource management error

Trust: 0.6

sources: CNNVD: CNNVD-200805-119

CONFIGURATIONS

sources: JVNDB: JVNDB-2008-001358

PATCH

title:MS08-029url:http://www.microsoft.com/technet/security/Bulletin/MS08-029.mspx

Trust: 0.8

title:MS08-029url:http://www.microsoft.com/japan/technet/security/bulletin/ms08-029.mspx

Trust: 0.8

title:MS08-029eurl:http://www.microsoft.com/japan/security/bulletins/MS08-029e.mspx

Trust: 0.8

sources: JVNDB: JVNDB-2008-001358

EXTERNAL IDS

db:NVDid:CVE-2008-1438

Trust: 3.0

db:BIDid:29073

Trust: 2.9

db:SECUNIAid:30172

Trust: 2.7

db:USCERTid:TA08-134A

Trust: 2.7

db:SECTRACKid:1020016

Trust: 2.6

db:VUPENid:ADV-2008-1506

Trust: 1.8

db:USCERTid:SA08-134A

Trust: 0.8

db:JVNDBid:JVNDB-2008-001358

Trust: 0.8

db:CNNVDid:CNNVD-200805-119

Trust: 0.7

db:MSid:MS08-029

Trust: 0.6

db:HPid:SSRT080071

Trust: 0.6

db:CERT/CCid:TA08-134A

Trust: 0.6

db:VULHUBid:VHN-31563

Trust: 0.1

db:VULMONid:CVE-2008-1438

Trust: 0.1

db:PACKETSTORMid:66305

Trust: 0.1

db:PACKETSTORMid:66402

Trust: 0.1

db:PACKETSTORMid:66311

Trust: 0.1

sources: VULHUB: VHN-31563 // VULMON: CVE-2008-1438 // BID: 29073 // JVNDB: JVNDB-2008-001358 // PACKETSTORM: 66305 // PACKETSTORM: 66402 // PACKETSTORM: 66311 // CNNVD: CNNVD-200805-119 // NVD: CVE-2008-1438

REFERENCES

url:http://www.securityfocus.com/bid/29073

Trust: 2.6

url:http://www.us-cert.gov/cas/techalerts/ta08-134a.html

Trust: 2.6

url:http://secunia.com/advisories/30172

Trust: 2.6

url:http://www.securitytracker.com/id?1020016

Trust: 1.8

url:http://marc.info/?l=bugtraq&m=121129490723574&w=2

Trust: 1.7

url:http://www.frsirt.com/english/advisories/2008/1506/references

Trust: 1.4

url:https://docs.microsoft.com/en-us/security-updates/securitybulletins/2008/ms08-029

Trust: 1.2

url:https://oval.cisecurity.org/repository/search/definition/oval%3aorg.mitre.oval%3adef%3a14375

Trust: 1.2

url:http://www.vupen.com/english/advisories/2008/1506/references

Trust: 1.2

url:http://www.microsoft.com/technet/security/bulletin/ms08-029.mspx

Trust: 1.1

url:http://cve.mitre.org/cgi-bin/cvename.cgi?name=cve-2008-1438

Trust: 0.8

url:http://www.jpcert.or.jp/at/2008/at080007.txt

Trust: 0.8

url:http://jvn.jp/cert/jvnta08-134a/index.html

Trust: 0.8

url:http://jvn.jp/tr/trta08-134a

Trust: 0.8

url:http://nvd.nist.gov/nvd.cfm?cvename=cve-2008-1438

Trust: 0.8

url:http://securitytracker.com/alerts/2008/may/1020016.html

Trust: 0.8

url:http://www.us-cert.gov/cas/alerts/sa08-134a.html

Trust: 0.8

url:http://www.cyberpolice.go.jp/important/2008/20080514_110201.html

Trust: 0.8

url:http://secway.org/advisory/ad20080514.txt

Trust: 0.4

url:http://www.microsoft.com

Trust: 0.3

url:http://marc.info/?l=bugtraq&amp;m=121129490723574&amp;w=2

Trust: 0.1

url:https://cwe.mitre.org/data/definitions/399.html

Trust: 0.1

url:https://nvd.nist.gov

Trust: 0.1

url:http://secunia.com/product/13488/

Trust: 0.1

url:http://secunia.com/secunia_security_advisories/

Trust: 0.1

url:http://secunia.com/about_secunia_advisories/

Trust: 0.1

url:http://secunia.com/network_software_inspector_2/

Trust: 0.1

url:http://secunia.com/product/13487/

Trust: 0.1

url:http://secunia.com/product/13422/

Trust: 0.1

url:http://secunia.com/product/13486/

Trust: 0.1

url:http://secunia.com/product/13464/

Trust: 0.1

url:http://secunia.com/sec_adv_unsubscribe/?email=packet%40packetstormsecurity.org

Trust: 0.1

url:http://secunia.com/advisories/30172/

Trust: 0.1

url:http://secunia.com/product/17290/

Trust: 0.1

url:http://secunia.com/product/18640/

Trust: 0.1

url:http://secway.org

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2008-1437

Trust: 0.1

url:http://www.nevisnetworks.com

Trust: 0.1

url:https://nvd.nist.gov/vuln/detail/cve-2008-1438

Trust: 0.1

url:http://www.us-cert.gov/cas/techalerts/ta08-134a.html>

Trust: 0.1

url:http://www.kb.cert.org/vuls/byid?searchview&query=ms08-may>

Trust: 0.1

url:http://www.microsoft.com/technet/security/bulletin/ms08-may.mspx>

Trust: 0.1

url:http://www.microsoft.com/windowsserversystem/updateservices/default.mspx>

Trust: 0.1

url:http://www.us-cert.gov/cas/signup.html>.

Trust: 0.1

url:http://www.us-cert.gov/legal.html>

Trust: 0.1

url:https://www.update.microsoft.com/microsoftupdate/>

Trust: 0.1

sources: VULHUB: VHN-31563 // VULMON: CVE-2008-1438 // BID: 29073 // JVNDB: JVNDB-2008-001358 // PACKETSTORM: 66305 // PACKETSTORM: 66402 // PACKETSTORM: 66311 // CNNVD: CNNVD-200805-119 // NVD: CVE-2008-1438

CREDITS

Sowhat smaillist@gmail.com

Trust: 0.6

sources: CNNVD: CNNVD-200805-119

SOURCES

db:VULHUBid:VHN-31563
db:VULMONid:CVE-2008-1438
db:BIDid:29073
db:JVNDBid:JVNDB-2008-001358
db:PACKETSTORMid:66305
db:PACKETSTORMid:66402
db:PACKETSTORMid:66311
db:CNNVDid:CNNVD-200805-119
db:NVDid:CVE-2008-1438

LAST UPDATE DATE

2024-08-14T12:28:00.808000+00:00


SOURCES UPDATE DATE

db:VULHUBid:VHN-31563date:2018-10-12T00:00:00
db:VULMONid:CVE-2008-1438date:2018-10-12T00:00:00
db:BIDid:29073date:2008-05-14T16:55:00
db:JVNDBid:JVNDB-2008-001358date:2011-03-18T00:00:00
db:CNNVDid:CNNVD-200805-119date:2008-09-05T00:00:00
db:NVDid:CVE-2008-1438date:2018-10-12T21:45:25.273

SOURCES RELEASE DATE

db:VULHUBid:VHN-31563date:2008-05-13T00:00:00
db:VULMONid:CVE-2008-1438date:2008-05-13T00:00:00
db:BIDid:29073date:2008-05-13T00:00:00
db:JVNDBid:JVNDB-2008-001358date:2008-06-03T00:00:00
db:PACKETSTORMid:66305date:2008-05-13T19:35:09
db:PACKETSTORMid:66402date:2008-05-15T07:54:53
db:PACKETSTORMid:66311date:2008-05-13T19:41:07
db:CNNVDid:CNNVD-200805-119date:2008-05-13T00:00:00
db:NVDid:CVE-2008-1438date:2008-05-13T22:20:00