Signature Detail

TCP: C2S Old Packet Old Timestamp in 3WH ACK

This protocol anomaly triggers when it detects an ACK packet in the three-way handshake with a time-stamp that is older than a previously recorded time-stamp (as specified by RFC1323). Because these ambiguous packets can be interpreted by the receiving host in different, unpredictable ways, it is recommended to drop them.

Extended Description

Microsoft Windows TCP/IP protocol implementation is prone to a remote code-execution vulnerability. An attacker can exploit this issue to execute arbitrary code with SYSTEM-level privileges. Successful attacks will completely compromise affected computers.

Affected Products

• Avaya Messaging Application Server MM 1.1
• Avaya Messaging Application Server MM 2.0
• Avaya Messaging Application Server MM 3.0
• Avaya Messaging Application Server MM 3.1
• Avaya Messaging Application Server
• Microsoft Windows Server 2008 for 32-bit Systems SP2
• Microsoft Windows Server 2008 for 32-bit Systems
• Microsoft Windows Server 2008 for Itanium-based Systems SP2
• Microsoft Windows Server 2008 for Itanium-based Systems
• Microsoft Windows Server 2008 for x64-based Systems SP2
• Microsoft Windows Server 2008 for x64-based Systems
• Microsoft Windows Vista Business
• Microsoft Windows Vista Business SP1
• Microsoft Windows Vista Business SP2
• Microsoft Windows Vista Enterprise
• Microsoft Windows Vista Enterprise SP1
• Microsoft Windows Vista Enterprise SP2
• Microsoft Windows Vista Home Basic
• Microsoft Windows Vista Home Basic SP1
• Microsoft Windows Vista Home Basic SP2
• Microsoft Windows Vista Home Premium
• Microsoft Windows Vista Home Premium SP1
• Microsoft Windows Vista Home Premium SP2
• Microsoft Windows Vista SP1
• Microsoft Windows Vista SP2
• Microsoft Windows Vista Ultimate SP1
• Microsoft Windows Vista Ultimate SP2
• Microsoft Windows Vista
• Microsoft Windows Vista Business 64-bit edition SP1
• Microsoft Windows Vista Business 64-bit edition SP2
• Microsoft Windows Vista Business 64-bit edition
• Microsoft Windows Vista Enterprise 64-bit edition SP1
• Microsoft Windows Vista Enterprise 64-bit edition SP2
• Microsoft Windows Vista Enterprise 64-bit edition
• Microsoft Windows Vista Home Basic 64-bit edition SP1
• Microsoft Windows Vista Home Basic 64-bit edition SP2
• Microsoft Windows Vista Home Basic 64-bit edition
• Microsoft Windows Vista Home Premium 64-bit edition SP1
• Microsoft Windows Vista Home Premium 64-bit edition SP2
• Microsoft Windows Vista Home Premium 64-bit edition
• Microsoft Windows Vista Ultimate 64-bit edition SP1
• Microsoft Windows Vista Ultimate 64-bit edition SP2
• Microsoft Windows Vista Ultimate 64-bit edition
• Microsoft Windows Vista x64 Edition SP1
• Microsoft Windows Vista x64 Edition SP2
• Microsoft Windows Vista x64 Edition
• Nortel Networks CallPilot 1002Rp
• Nortel Networks CallPilot 201I
• Nortel Networks CallPilot 202I
• Nortel Networks CallPilot 600R
• Nortel Networks CallPilot 703T
• Nortel Networks Contact Center Administration
• Nortel Networks Contact Center Express
• Nortel Networks Contact Center Manager Server
• Nortel Networks Contact Center NCC
• Nortel Networks Contact Center - TAPI Server
• Nortel Networks Self-Service - CCSS7
• Nortel Networks Self-Service CCXML
• Nortel Networks Self-Service MPS 100
• Nortel Networks Self-Service MPS 1000
• Nortel Networks Self-Service MPS 500
• Nortel Networks Self-Service Peri Application
• Nortel Networks Self-Service Peri Workstation
• Nortel Networks Self-Service Speech Server
• Nortel Networks Self Service VoiceXML
• Nortel Networks Self-Service WVADS
• Nortel Networks Symposium Agent

References

• CVE: CVE-2009-1925
• URL: http://www.faqs.org/rfcs/rfc1323.html
• URL: http://www.microsoft.com/technet/security/Bulletin/ms09-048.mspx