[NT] Microsoft Windows XP Firewall Default Configuration Vulnerability (SP2, Local Subnet)

From: SecuriTeam (support_at_securiteam.com)
Date: 12/16/04

  • Next message: SecuriTeam: "[UNIX] Rssh and Scponly Arbitrary Command Execution" 
    To: list@securiteam.com
Date: 16 Dec 2004 14:21:12 +0200

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      Microsoft Windows XP Firewall Default Configuration Vulnerability (SP2,
    Local Subnet)
    ------------------------------------------------------------------------

    SUMMARY

    After you set up Microsoft Windows Firewall in Microsoft Windows XP
    Service Pack 2 (SP2), you may discover that your computer can be accessed
    by anyone on the Internet when you use a dial-up connection to connect to
    the Internet, this is due to a back in the way Microsoft's Firewall
    handles local subnets.

    DETAILS

    This problem occurs because of the way that Windows Firewall interprets
    local subnets when the "My network (subnet) only" option is used. Windows
    Firewall is included with Windows XP SP2.

    Because of the way that some dialing software configures routing tables,
    Windows Firewall in Windows XP SP2 can sometimes interpret the whole
    Internet to be a local subnet. This can let anyone on the Internet access
    the Windows Firewall exceptions. When the "My network (subnet) only"
    option is enabled, it is automatically selected for file and print
    sharing. Therefore, your shared drives can be unexpectedly revealed on the
    Internet when you use a dial-up connection.

    Solution:
    To resolve this problem, you must download and install the Critical Update
    for Windows XP:
    <http://www.microsoft.com/downloads/details.aspx?amp;displaylang=en&familyid=da66a0ac-55ca-4591-b3e6-d78695899141&displaylang=en> KB886185

    After you install the Critical Update for Windows XP (KB886185), Windows
    Firewall will no longer interpret a dial-up network connection to be on
    your local subnet.

    Specifically, any IP Route Table entry that has an IP address of 0.0.0.0
    and has a mask of 0.0.0.0 will not be interpreted to be on the local
    subnet. This means that any port exceptions or program exceptions that use
    the "My network (subnet) only" option in Windows Firewall will not be
    available over a dial-up connection. You will still be able to access
    exceptions over a dial-up connection if you remove all scope restrictions,
    or if you create a custom scope for exceptions.

    Subnets can be highly variable, depending on the network that they are
    connected to. Therefore, using the "My network" scope restriction does not
    guarantee security. We strongly recommend that you use the custom scope
    option when you want to make sure that no unwanted incoming traffic is
    permitted to pass through your firewall exceptions.

    For more information about configuring Windows Firewall, visit the
    following Microsoft TechNet Web page:
    <http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx>
    http://www.microsoft.com/technet/community/columns/cableguy/cg0204.mspx

    ADDITIONAL INFORMATION

    The information has been provided by
    <mailto:nathan.fowler@packetmail.net> Nathan Fowler.
    The original article can be found at:
    <http://support.microsoft.com/kb/886185>
    http://support.microsoft.com/kb/886185

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

  • Next message: SecuriTeam: "[UNIX] Rssh and Scponly Arbitrary Command Execution"

    Relevant Pages