Alert:Microsoft Security Bulletin - MS02-006

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 03/07/02

Date:         Thu, 7 Mar 2002 03:02:17 -0500
From: Russ <Russ.Cooper@RC.ON.CA>

Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run

Originally posted: February 12, 2002
Updated: March 5, 2002


Who should read this bulletin: System administrators who use Simple Network Management Protocol to manage Microsoft® Windows® 95, 98, 98SE, Windows NT® 4.0, Windows 2000 or Windows XP systems

Impact of vulnerability: Denial of Service, potentially run code of attacker's choice

Maximum Severity Rating: Moderate

Recommendation: Customers using SNMP on Windows 2000 and Windows XP should apply the patch. All other customers should disable SNMP service if running; apply patch when available

Affected Software:
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
- Microsoft Windows 2000
- Microsoft Windows XP

Technical description:

On February 12 2002, Microsoft released the original version of this bulletin. In it, we detailed a work-around procedure that customers could implement to protect themselves against a publicly disclosed vulnerability. An updated version of this bulletin was released on February 15, 2002, to announce the availability of the patch for Windows 2000 and Windows XP and to advise customers that the work-around procedure is no longer needed on those platforms. Patches for additional platforms are forthcoming and this bulletin will be re-released to annouce their availability.

On March 5, 2002, Microsoft released an updated version of the bulletin annoucing the availability of a patch for Windows NT 4.0 and to advise customers that the work-around procedure is no longer needed for that platform. Patches for additional platforms are forthcoming and this bulletin will be re-released to annouce their availability.

Simple Network Management Protocol (SNMP) is an Internet standard protocol for managing disparate network devices such as firewalls, computers, and routers. All versions of Windows except Windows ME provide an SNMP implementation, which is neither installed nor running by default in any version.

A buffer overrun is present in all implementations. By sending a specially malformed management request to a system running an affected version of the SNMP service, an attacker could cause a denial of service. In addition, it is possible that he could cause code to run on the system in LocalSystem context. This could potentially give the attacker the ability to take any desired action on the system.

A patch is under development to eliminate the vulnerability. In the meantime, Microsoft recommends that customers who use the SNMP service disable it temporarily. Patches will be available shortly, at which time we will re-release this bulletin with updated details.

Mitigating factors:
- The SNMP service is neither installed nor running by default in any version of Windows.
- Standard firewalling practices recommend blocking the port over which SNMP operates (UDP ports 161 and 162). If these recommendations have been followed, the vulnerability could only be exploited by an intranet user.
- Standard security recommendations recommend against using SNMP except on trusted networks, as the protocol, by design, provides minimal security.

Vulnerability identifier: CAN-2002-0053

This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

I can only hope that the information it does contain can be read well enough to serve its purpose.

Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

Relevant Pages

  • SecurityFocus Microsoft Newsletter #71
    ... DaanSystems NewsReactor Password Encoding Vulnerability ... Microsoft Windows NT Inaccurate Login Logging Vulnerability ... Oracle RDBMS Server Default Account Vulnerability ... Avirt Gateway Suite Telnet Proxy Remote SYSTEM Access... ...
  • SecurityFocus Microsoft Newsletter #145
    ... integrated suite of Web application security products, ... Microsoft URLScan Tool Information Disclosure Vulnerability ... BillingExplorer Multiple Remote Client Communication Integrity... ... Microsoft Windows CreateFile API Named Pipe Privilege... ...
  • SecurityFocus Microsoft Newsletter #177
    ... RobotFTP Server Username Buffer Overflow Vulnerability ... Ipswitch IMail Server Remote LDAP Daemon Buffer Overflow Vul... ... Microsoft Windows XP Help And Support Center Interface Spoof... ...
  • SecurityFocus Microsoft Newsletter #135
    ... most recognized corporate security certification track, ... Rinetd Connection List Resizing Denial of Service Vulnerability ... OpenBB Index.PHP Remote SQL Injection Vulnerability ... Microsoft Windows Service Control Manager Race Condition... ...
  • SecurityFocus Microsoft Newsletter #158
    ... Gamespy 3d IRC Client Remote Buffer Overflow Vulnerability ... Microsoft Windows PostThreadMessage() Arbitrary Process Kill... ...