MS10-029: Vulnerability in Windows ISATAP Component could allow spoofing

Microsoft has released security bulletin MS10-029. To view the complete security bulletin, visit one of the following Microsoft Web sites:

• Home users:
  http://www.microsoft.com/security/updates/bulletins/201004.aspx

  (http://www.microsoft.com/security/updates/bulletins/201004.aspx)
  Skip the details: Download the updates for your home computer or laptop from the Microsoft Update Web site now:
  http://update.microsoft.com/microsoftupdate

  (http://update.microsoft.com/microsoftupdate)
• IT professionals:
  http://www.microsoft.com/technet/security/bulletin/MS10-029.mspx

  (http://www.microsoft.com/technet/security/bulletin/MS10-029.mspx)

How to obtain help and support for this security update

Help installing updates: Support for Microsoft Update

Security solutions for IT professionals: TechNet Security Troubleshooting and Support

Help protect your computer that is running Windows from viruses and malware: Virus Solution and Security Center

Local support according to your country: International Support

Description of the functionality changes in this security bulletin

This security update implements two features on IPv6 Intra-Site Automatic Tunnel Addressing Protocol (ISATAP):

• Potential Router List (PRL): PRL enables ISATAP clients to perform source address checking on incoming ISATAP packets. PRL is documented in Internet Standard RFC 5214. After you install this security update, additional enforcement will occur based on the information in the PRL. This helps protect customers against the vulnerability that is described in security bulletin MS10-029.
• Neighbor Unreachability Detection (NUD): NUD is used by ISATAP routers to check whether a neighbor is reachable or not. NUD is documented in Internet standard RFC 4861. Because of high compatibility requirements, NUD is turned off by default after you install this security update. Therefore, NUD requires manual configuration.

How does the Potential Router List (PRL) work?

The Potential Router List is a feature that maintains a list on each ISATAP client of its ISATAP routers. These addresses are obtained from DNS resolution on the ISATAP router. After you install this update, Windows will perform additional validation by using the information that is contained in the PRL.

When a packet is received, the packet will be processed only if one of the following two conditions is satisfied:

• The IPv4 source address matches the last 32 bits of the IPv6 source address.
• The IPv4 source address matches an address in the Potential Router List. This indicates that the packet was tunneled by the client’s ISATAP router.

For example, consider the following scenario: In this scenario, host A sends an ISATAP tunneled packet to host B with the IPv4 source address of 1.1.1.1. A spoofed IPv6 source address exists in the tunneled packet, for example, 2ffe::5efe:3.3.3.3. Without PRL, host B would respond to 3.3.3.3 instead of 1.1.1.1.

However, when PRL is used, PRL detects the spoofing attempt and will not process the packet.

How does Neighbor Unreachability Detection (NUD) work?

Neighbor Unreachability Detection (NUD) is a new feature that is deployed by this update on ISATAP routers. NUD will validate whether a neighbor is reachable or not before forwarding packets. This helps ensure correct operations of the network and prevents specific kinds of routing loops.

Before forwarding a packet, upon enabling this feature, the router will send a Neighbor Solicitation (NS) to the destination ISATAP node. This node will receive the solicitation, and if it does not have the IPv6 address in question, the ISATAP node will not respond to the NS and will discard the packet. If the address is assigned to the receiving ISATAP node, the ISATAP node will respond with a Neighbor Advertisement (NA). Upon receiving this NA, the originating node will forward the packet.

How should I deploy NUD in my network?

Customers should be careful when they deploy NUD. If not all ISATAP nodes on the network support NUD, enabling NUD could result in connectivity issues. An ISATAP router that sends a Neighbor Solicitation to a device that does not support NUD will not receive a reply. Therefore the ISATAP router would conclude that the route is unavailable.

NUD is supported in Windows 7 and Windows Server 2008 R2-based systems. However, it must be manually enabled.

In Windows XP, Windows Server 2003, Windows Vista, and Windows Server 2008-based systems, you must install security update 978338 and then manually enable NUD.

We recommend that you verify with any third-party suppliers of ISATAP-enabled routers to determine whether their device implements NUD, and supports processing of NS and NA packets.

How do I enable Neighbor Unreachability Detection?

Enable NUD on Windows Vista, Windows Server 2008, Windows 7, and Windows Server 2008 R2-based systems

To enable Neighbor Unreachability Detection, follow these steps:

1. Type the following command at a command prompt, and then press ENTER:
   netsh int ipv6 set interface ISATAP interface-name nud=enabled
2. Restart the computer.

To disable Neighbor Unreachability Detection, follow these steps:

1. Type the following command at a command prompt, and then press ENTER:
   netsh int ipv6 set interface ISATAP interface-name nud=di store=persistent
2. Restart the computer.

Enable NUD on Windows XP and Windows Server 2003-based systems

Important This section, method, or task contains steps that tell you how to modify the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base: To Enable NUD, add a DWORD value named NUDEnabledOnISATAP that has a value of 1 to the following registry subkey: To disable the fix, change the NUDEnabledOnISATAP DWORD entry to use a value of 0 (zero).

To add these registry values, follow these steps:

1. Click Start, click Run, type regedit in the Open box, and then click OK.
2. Locate and then click the following subkey in the registry:
   HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
3. On the Edit menu, point to New, and then click Key.
4. Type GlobalParams for the name of the key, and then press ENTER.
5. Double-click the GlobalParams key to open it.
6. On the Edit menu, point to New, and then click DWORD Value.
7. Type NUDEnabledOnISATAP for the name of the DWORD, and then press ENTER.
8. Right-click NUDEnabledOnISATAP, and then click Modify.
9. In the Value data box, type 1 to enable NUD, and then click OK.
   
   Note To disable NUD, type 0 (zero), and then click OK.
10. Exit Registry Editor, and then restart the computer.

The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.

Windows XP and Windows Server 2003 file information

• The files that apply to a specific milestone (RTM, SPn) and service branch (QFE, GDR) are noted in the "SP requirement" and "Service branch" columns.
• GDR service branches contain only those fixes that are widely released to address widespread, critical issues. QFE service branches contain hotfixes in addition to widely released fixes.
• In addition to the files that are listed in these tables, this software update also installs an associated security catalog file (KBnumber.cat) that is signed with a Microsoft digital signature.

For all supported x86-based versions of Windows XP

For all supported x64-based versions of Windows Server 2003 and of Windows XP Professional x64 edition

For all supported x86-based versions of Windows Server 2003

For all supported IA-64-based versions of Windows Server 2003

Windows Vista and Windows Server 2008 file information

• The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table:
  Collapse this tableExpand this table

  Version	Product	Milestone	Service branch
  6.0.6000.16xxx	Windows Vista	RTM	GDR
  6.0.6000.20xxx	Windows Vista	RTM	LDR
  6.0.6001.18xxx	Windows Vista SP1 and Windows Server 2008 SP1	SP1	GDR
  6.0.6001.22xxx	Windows Vista SP1 and Windows Server 2008 SP1	SP1	LDR
  6.0.6002.18xxx	Windows Vista SP2 and Windows Server 2008 SP2	SP2	GDR
  6.0.6002.22xxx	Windows Vista SP2 and Windows Server 2008 SP2	SP2	LDR

• Service Pack 1 is integrated into the release version of Windows Server 2008. Therefore, RTM milestone files apply only to Windows Vista. RTM milestone files have a 6.0.0000.xxxxxx version number.
• GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
• The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files (attributes not listed) are signed with a Microsoft digital signature.

For all supported x86-based versions of Windows Vista and Windows Server 2008

For all supported x64-based versions of Windows Vista and Windows Server 2008

For all supported IA-64-based versions of Windows Server 2008

Additional file information for Windows Vista and Windows Server 2008

Additional files for all supported x86-based versions of Windows Vista and Windows Server 2008

Additional files for all supported x64-based versions of Windows Vista and Windows Server 2008

Additional files for all supported IA-64-based versions of Windows Server 2008