Alert: Microsoft Security Bulletin - MS02-070

From: Russ (Russ.Cooper@RC.ON.CA)
Date: 12/12/02

  • Next message: Greg Riedesel: "MS02-071, shatter?" 
    Date:         Thu, 12 Dec 2002 01:51:00 -0500
From: Russ <Russ.Cooper@RC.ON.CA>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    http://www.microsoft.com/technet/security/bulletin/MS02-070.asp

    Flaw in SMB Signing Could Enable Group Policy to be Modified (309376)

    Originally posted: December 11, 2002

    Summary

    Who should read this bulletin: System administrators using Microsoft® Windows® XP or Windows 2000, the latter especially in a domain controller role.

    Impact of vulnerability: Modify group policy.

    Maximum Severity Rating: Moderate

    Recommendation: Administrators whose Windows 2000 or Windows XP Gold systems are configured to use SMB Signing should install the patch immediately.

    Affected Software:
    - Microsoft Windows 2000
    - Microsoft Windows XP

    End User Bulletin: An end user version of this bulletin is available at: http://www.microsoft.com/security/security_bulletins/ms02-070.asp

    Technical description:

    Server Message Block (SMB) is a protocol natively supported by all versions of Windows. Although nominally a file-sharing protocol, it is used for other purposes as well, the most important of which is disseminating group policy information from domain controllers to newly logged on systems. Beginning with Windows 2000, it is possible to improve the integrity of SMB sessions by digitally signing all packets in a session. Windows 2000 and Windows XP can be configured to always sign, never sign, or sign only if the other party requires it.

    A flaw in the implementation of SMB Signing in Windows 2000 and Windows XP could enable an attacker to silently downgrade the SMB Signing settings on an affected system. To do this, the attacker would need access to the session negotiation data as it was exchanged between a client and server, and would need to modify the data in a way that exploits the flaw. This would cause either or both systems to send unsigned data regardless of the signing policy the administrator had set. After having downgraded the signing setting, the attacker could continue to monitor the session and change data within it; the lack of signing would prevent the communicants from detecting the changes.

    Although this vulnerability could be exploited to expose any SMB session to tampering, the most serious case would involve changing group policy information as it was being disseminated from a Windows 2000 domain controller to a newly logged-on network client. By doing this, the attacker could take actions such as adding users to the local Administrators group or installing and running code of his or her choice on the system.

    Mitigating factors:
    - A fix for this issue is already included in Windows XP Service Pack 1.
    - Exploiting the vulnerability would require the attacker to have significant network access already. In most cases, the attacker would need to be located on the same network segment as one of the two participants in the SMB session.
    - The attacker would need to exploit the vulnerability separately for each SMB session he or she wanted to interfere with.
    - The vulnerability would not enable the attacker to change group policy on the domain controller, only to change it as it flowed to the client.
    - SMB Signing is disabled by default on Windows 2000 and Windows XP because of the performance penalty it exacts. On networks where SMB Signing has not been enabled, the vulnerability would pose no additional risk - because SMB data would already be vulnerable to modification.

    Vulnerability identifier: CAN-2002-1256

    This email is sent to NTBugtraq automatically as a service to my subscribers. Since its programmatically created, and since its been a long time since anyone paid actual money for my programming skills, it may or may not look that good...;-]

    I can only hope that the information it does contain can be read well enough to serve its purpose.

    Cheers,
    Russ - Surgeon General of TruSecure Corporation/NTBugtraq Editor

    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Delivery co-sponsored by TruSecure Corporation
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo
    Demonstrate your knowledge and understanding of core IT Security, become
    TICSA certified.

    Are you responsible for IT security in job function, but not necessarily
    in title? Do you want to prove your IT security knowledge and increase
    opportunities? Interested? Visit;

    http://www.trusecure.com/solutions/certifications/ticsa/

    for more information.
    oooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooooo

    Relevant Pages