[NT] Vulnerability in Network Connection Manager Allows DoS (MS05-045)
From: SecuriTeam (support_at_securiteam.com)
Date: 10/12/05
- Previous message: SecuriTeam: "[NT] Windows FTP Client Allows File Transfer Location Tampering (MS05-044)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: list@securiteam.com Date: 12 Oct 2005 09:42:13 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Vulnerability in Network Connection Manager Allows DoS (MS05-045)
------------------------------------------------------------------------
SUMMARY
A denial of service vulnerability exists that could allow an attacker to
send a specially crafted network packet to an affected Windows system. An
attacker who successfully exploited this vulnerability could cause the
component responsible for managing network and remote access connections
to stop responding. If the affected component is stopped due to an attack,
it will automatically restart when new requests are received.
DETAILS
Affected Software:
* Microsoft Windows 2000 Service Pack 4 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=92C5A89F-89E5-4A33-ACD6-4F42AE921681> Download the update
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=19569E67-6D99-41FC-9457-44EC524F6106> Download the update
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
Pack 1 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=143B0289-6E60-4918-A46C-B0BE2131C7AF> Download the update
Non-Affected Software:
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (ME)
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-2307>
CAN-2005-2307
Mitigating Factors for Network Connection Manager Vulnerability:
* On Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1,
the affected component is not vulnerable remotely. An attacker must have
valid logon credentials and be able to log on locally to exploit this
vulnerability.
* On Windows 2000, Windows XP Service Pack 1, and Windows Server 2003, an
attacker must have valid logon credentials to exploit this vulnerability.
The vulnerability could not exploited by anonymous users. However, the
affected component is available remotely to users who have standard user
accounts. In certain configurations, anonymous users could authenticate as
the Guest account. For more information, see Microsoft Security Advisory
<http://www.microsoft.com/technet/security/advisory/906574.mspx> 906574.
* Firewall best practices and standard default firewall configurations
can help protect networks from attacks that originate outside the
enterprise perimeter. Best practices recommend that systems that are
connected to the Internet have a minimal number of ports exposed.
Workarounds for Network Connection Manager Vulnerability:
* Block the following at the enterprise perimeter firewall:
o UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
o All unsolicited inbound traffic on ports greater than 1024
o Any other specifically configured RPC port
o If installed, COM Internet Services (CIS) or RPC over HTTP, which
listen on ports 80 and 443
These ports could be used to initiate a connection with affected systems.
Blocking them at the firewall will help prevent systems that are behind
that firewall from attempts to exploit this vulnerability that originate
outside the enterprise perimeter. Also, make sure that you block any other
specifically configured RPC port on the remote system. We recommend that
you block all unsolicited inbound communication from the Internet to help
prevent attacks that may use other ports. For more information about ports
that RPC uses, visit the following Web site. For more information about
how to disable CIS, see Microsoft Knowledge Base Article
<http://support.microsoft.com/kb/825819> 825819.
What is the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully
exploited this vulnerability could cause the component responsible for
managing network and remote access connections to stop responding. If the
affected component is stopped due to an attack, it will automatically
restart when new requests are received. Note that the denial of service
vulnerability would not allow an attacker to execute code or to elevate
their user rights, but it could cause the affected system to stop
accepting requests.
What causes the vulnerability?
An unchecked buffer in the Network Connection Manager.
What is Network Connection Manager?
The Network Connection Manager is an operating system component that
provides a means of controlling a system's network connections, such as
those seen in the Network and Dial-Up Connections folder. When a user
makes a new network connection, such as through the dial-up networking
wizard, the Network Connection Manager processes the request to make the
connection.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause the
component responsible for managing network and remote access connections
to stop responding. If the affected component is stopped due to an attack,
it will automatically restart when new requests are received.
Who could exploit the vulnerability?
On Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, the
affected component is not vulnerable remotely. An attacker must have valid
logon credentials and be able to log on locally to exploit this
vulnerability. On Windows 2000, Windows XP Service Pack 1, and Windows
Server 2003, an attacker must have valid logon credentials to exploit this
vulnerability. The vulnerability could not be exploited by anonymous
users. However, remote authenticated users could attempt to exploit this
vulnerability. In certain configurations, anonymous users could
authenticate as the Guest account. For more information, see Microsoft
Security Advisory
<http://www.microsoft.com/technet/security/advisory/906574.mspx> 906574.
How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially
crafted request and sending the request to the affected component. If the
affected component is stopped due to an attack, it will automatically
restart when new requests are received.
What systems are primarily at risk from the vulnerability?
Windows 2000, Windows XP Service Pack 1 and Windows Server 2003 systems
are primarily at risk from this vulnerability. Servers could be at more
risk if users who do not have sufficient administrative permissions are
given the ability to log on to servers and to run programs. However, best
practices strongly discourage allowing this.
Could the vulnerability be exploited over the Internet?
No. An attacker must be able to authenticate to the specific system that
is targeted for attack. An attacker cannot load and run a program remotely
by using this vulnerability.
What does the update do?
The update removes the vulnerability by modifying the way that the Network
Connection Manager validates the length of a message before it passes the
message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
Yes. This vulnerability has been publicly disclosed and was previously
assigned Common Vulnerability and Exposure number CAN-2005-2307.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published
publicly but had not received any information to indicate that this
vulnerability had been publicly used to attack customers when this
security bulletin was originally issued.
Does applying this security update help protect customers from the code
that has been published publicly that attempts to exploit this
vulnerability?
Yes. This security update addresses the proof of concept code that has
been published that attempts to exploit this issue. The vulnerability that
has been addressed has been assigned the Common Vulnerability and Exposure
number CAN-2005-2307.
ADDITIONAL INFORMATION
The information has been provided by Microsoft Product Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/MS05-045.mspx>
http://www.microsoft.com/technet/security/bulletin/MS05-045.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Previous message: SecuriTeam: "[NT] Windows FTP Client Allows File Transfer Location Tampering (MS05-044)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
