Alert:Microsoft Security Bulletin - MS02-006From: Russ (Russ.Cooper@RC.ON.CA)
- Previous message: Russ: "Alert: Worm posing as IE cumulative patch"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 7 Mar 2002 03:02:17 -0500 From: Russ <Russ.Cooper@RC.ON.CA> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run
Originally posted: February 12, 2002
Updated: March 5, 2002
Who should read this bulletin: System administrators who use Simple Network Management Protocol to manage Microsoft® Windows® 95, 98, 98SE, Windows NT® 4.0, Windows 2000 or Windows XP systems
Impact of vulnerability: Denial of Service, potentially run code of attacker's choice
Maximum Severity Rating: Moderate
Recommendation: Customers using SNMP on Windows 2000 and Windows XP should apply the patch. All other customers should disable SNMP service if running; apply patch when available
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98SE
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0 Server, Terminal Server Edition
- Microsoft Windows 2000
- Microsoft Windows XP
On February 12 2002, Microsoft released the original version of this bulletin. In it, we detailed a work-around procedure that customers could implement to protect themselves against a publicly disclosed vulnerability. An updated version of this bulletin was released on February 15, 2002, to announce the availability of the patch for Windows 2000 and Windows XP and to advise customers that the work-around procedure is no longer needed on those platforms. Patches for additional platforms are forthcoming and this bulletin will be re-released to annouce their availability.
On March 5, 2002, Microsoft released an updated version of the bulletin annoucing the availability of a patch for Windows NT 4.0 and to advise customers that the work-around procedure is no longer needed for that platform. Patches for additional platforms are forthcoming and this bulletin will be re-released to annouce their availability.
Simple Network Management Protocol (SNMP) is an Internet standard protocol for managing disparate network devices such as firewalls, computers, and routers. All versions of Windows except Windows ME provide an SNMP implementation, which is neither installed nor running by default in any version.
A buffer overrun is present in all implementations. By sending a specially malformed management request to a system running an affected version of the SNMP service, an attacker could cause a denial of service. In addition, it is possible that he could cause code to run on the system in LocalSystem context. This could potentially give the attacker the ability to take any desired action on the system.
A patch is under development to eliminate the vulnerability. In the meantime, Microsoft recommends that customers who use the SNMP service disable it temporarily. Patches will be available shortly, at which time we will re-release this bulletin with updated details.
- The SNMP service is neither installed nor running by default in any version of Windows.
- Standard firewalling practices recommend blocking the port over which SNMP operates (UDP ports 161 and 162). If these recommendations have been followed, the vulnerability could only be exploited by an intranet user.
- Standard security recommendations recommend against using SNMP except on trusted networks, as the protocol, by design, provides minimal security.
Vulnerability identifier: CAN-2002-0053
This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]
I can only hope that the information it does contain can be read well enough to serve its purpose.
Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor