[NT] RPC Mutual Authentication Spoofing (MS06-031)
- From: SecuriTeam <support@xxxxxxxxxxxxxx>
- Date: 14 Jun 2006 12:31:44 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
RPC Mutual Authentication Spoofing (MS06-031)
------------------------------------------------------------------------
SUMMARY
There is a spoofing vulnerability in the way that RPC handles mutual
authentication. This vulnerability could allow an attacker to persuade a
user to connect to a malicious RPC server which appears to be valid.
A vulnerability in RPC Mutual Authentication could allow spoofing.
DETAILS
Vulnerable Systems:
* Microsoft Windows 2000 Service Pack 4 -
<http://www.microsoft.com/downloads/details.aspx?FamilyId=5089d956-7d8d-4241-9ca2-107ce4f8c093> Download the update
Immune Systems:
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service
Pack 2
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
Pack 1
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and
Microsoft Windows Millennium Edition (Me)
Mitigating Factors for RPC Mutual Authentication Vulnerability:
* An attacker would have no way to force users to connect to a malicious
RPC server.
Workarounds for RPC Mutual Authentication Vulnerability:
Microsoft has tested the following workarounds. Although these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.
* To help protect from network-based attempts to exploit this
vulnerability, IPSec can be used to ensure the identity of a system.
Use Internet Protocol security (IPSec) to help protect network
communications. Detailed information about IPSec and about how to apply
filters is available in <http://support.microsoft.com/kb/313190>
Microsoft Knowledge Base Article 313190 and
<http://support.microsoft.com/kb/813878> Microsoft Knowledge Base Article
813878
FAQ for RPC Mutual Authentication Vulnerability:
What is the scope of the vulnerability?
This is a spoofing vulnerability which affects custom RPC applications
acting as RPC clients using SSL with mutual authentication option. An
attacker who successfully exploited this vulnerability could impersonate a
valid RPC server.
What causes the vulnerability?
The affected product does not correctly validate the identity of RPC
server while utilizing mutual authentication over Secure Socket Layer
(SSL).
What is Mutual Authentication?
Both the client and the server machines will exchange credentials to
verify identities before data is exchanged.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could
impersonate a valid service.
Who could exploit the vulnerability?
An attacker would first need to persuade a user to connect to a resource
which requires mutual authentication using Secure Sockets Layer (SSL). The
attacker could then impersonate a valid RPC server. An attacker would have
no way to force users to visit the RPC server.
How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by persuading a user to
connect to an RPC service which has been configured to impersonate a valid
server.
What systems are primarily at risk from the vulnerability?
Workstations and servers are at risk from this vulnerability.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the
Internet. Firewall best practices and standard default firewall
configurations can help protect against attacks that originate from the
Internet. Microsoft has provided information about how you can help
protect your PC. End users can visit the
<http://go.microsoft.com/fwlink/?LinkId=21169> Protect Your PC Web site.
IT professionals can visit the
<http://go.microsoft.com/fwlink/?LinkId=21171> Security Guidance Center
Web site.
What does the update do?
The update removes the vulnerability by modifying the way that RPC handles
mutual authentication.
When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure.
When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.
CVE Information:
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-2380>
CVE-2006-2380
ADDITIONAL INFORMATION
The information has been provided by Microsoft Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/ms06-031.mspx>
http://www.microsoft.com/technet/security/bulletin/ms06-031.mspx
========================================
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx
====================
====================
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
- Prev by Date: [NT] Symantec Remote Management Stack Buffer Overflow
- Next by Date: [NT] Microsoft Routing and Remote Access Code Execution Vulnerabilities (MS06-025)
- Previous by thread: [NT] Symantec Remote Management Stack Buffer Overflow
- Next by thread: [NT] Microsoft Routing and Remote Access Code Execution Vulnerabilities (MS06-025)
- Index(es):
Relevant Pages
|
