Title

Microsoft Forefront Threat Management Gateway Remote Code Execution Vulnerability (Cat II impact)

Discussion

Microsoft has reported a vulnerability affecting Microsoft Forefront Threat Management Gateway (TMG). Forefront TMG Client provides HTTPS inspection notifications, automatic discovery, enhanced security, application support, and access control for client computers. To exploit this vulnerability, an attacker would send a malicious request to an affected system that would cause memory corruption on a system where the TMG firewall client is used. If successfully exploited, this vulnerability would allow an attacker to execute arbitrary code and compromise the affected system. At this time, there are no known exploits associated with this vulnerability; USCYBERCOM is not aware of any DoD related incidents. TMG Firewall Client Memory Corruption Vulnerability - (CVE-2011-1889): A remote code execution vulnerability exists in the TMG Firewall Client Winsock provider that could allow code execution in the security context of the client application. This vulnerability is caused by improper bounds checking of specific requests made through the TMG firewall client.

Check Content

See IAVM notice and vendor bulletin for additional information. Microsoft Bulletin MS11-041 (2525694). Vulnerable Applications/Systems: Microsoft Forefront Threat Management Gateway 2010 Client Verify that the patch has been installed by checking that the following sample file is at the version indicated or later. See the vendor bulletin for additional information and any Vulnerable Systems/Applications not listed below. Fwcmgmt.exe Microsoft Forefront Threat Management Gateway 2010 Client - 7.0.7734.182

Fix Text

Additional Identifiers

Rule ID:

Vulnerability ID: V-28584

Group Title:

Expert Comments

CCIs tied to check.

Controls tied to check. These are derived from the CCIs shown above.