[NT] Vulnerability in SNMP Could Allow Remote Code Execution (MS06-074)



The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html

- - - - - - - - -



Vulnerability in SNMP Could Allow Remote Code Execution (MS06-074)
------------------------------------------------------------------------


SUMMARY

This update resolves a newly discovered, privately reported, vulnerability
in Microsoft Windows implementation of the SNMP service. An attacker who
successfully exploited this vulnerability could take complete control of
an affected system. An attacker could then install programs; view, change,
or delete data; or create new accounts with full user rights.

DETAILS

Affected Software:
* Microsoft Windows 2000 Service Pack 4
<http://www.microsoft.com/downloads/details.aspx?FamilyId=ecc1e691-626b-405c-87d1-15931d1e4258> Download the update
* Microsoft Windows XP Service Pack 2
<http://www.microsoft.com/downloads/details.aspx?FamilyId=2b57e00f-0f47-4567-b40f-f630ba5a29cb> Download the update
* Microsoft Windows XP Professional x64 Edition
<http://www.microsoft.com/downloads/details.aspx?FamilyId=65ab5876-7c9a-4add-8b6d-0fd7d617397a> Download the update
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service
Pack 1
<http://www.microsoft.com/downloads/details.aspx?FamilyId=7856ee11-4f3a-4138-bfce-1b97fb25be69> Download the update
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft
Windows Server 2003 with SP1 for Itanium-based Systems
<http://www.microsoft.com/downloads/details.aspx?FamilyId=c1b01b91-c565-4d1f-90ec-f57a70fa012e> Download the update
* Microsoft Windows Server 2003 x64 Edition
<http://www.microsoft.com/downloads/details.aspx?FamilyId=5b61249a-dba7-4fd5-85f3-b918044bbc92> Download the update

Non-Affected Software:
* Windows Vista

CVE Information:
SNMP Memory Corruption Vulnerability -
<http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-5583>
CVE-2006-5583

SNMP Memory Corruption Vulnerability - CVE-2006-5583:
A remote code execution vulnerability exists in SNMP Service that could
allow an attacker who successfully exploited this vulnerability to take
complete control of the affected system.

Mitigating Factors for SNMP Memory Corruption Vulnerability -
CVE-2006-5583:
* SNMP service is not installed by default in any supported version of
Windows.

* For customers who require the affected component, firewall best
practices and standard default firewall configurations can help protect
networks from attacks that originate outside the enterprise perimeter.
Best practices recommend that systems that are connected to the Internet
have a minimal number of ports exposed.

Workarounds for SNMP Memory Corruption Vulnerability - CVE-2006-5583:

Microsoft has tested the following workarounds. Although these workarounds
will not correct the underlying vulnerability, they help block known
attack vectors. When a workaround reduces functionality, it is identified
in the following section.

Restrict the IP addresses that are allowed to manage the computer.

1. Click Start, and then click Run.

2. In the Open box, type services.msc and then click OK.

3. Click SNMP Service and select Properties.

4. Click the Security tab and select Accept SNMP packets from these hosts.

5. Add the approved management station's IP address by clicking Add,
typing in the IP address or host name, and clicking Add.

Block the following at the firewall:

* UDP port 161

This port is used to initiate a connection with the affected component.
Blocking it at the firewall will help protect systems that are behind that
firewall from attempts to exploit this vulnerability. Also, make sure that
you block any other specifically configured SNMP port on the remote
system. We recommend that you block all unsolicited inbound communication
from the Internet to help prevent attacks that may use other ports.

To help protect from network-based attempts to exploit this vulnerability,
use a personal firewall, such as the Windows Firewall, which is included
with Windows XP.

By default, the Windows Firewall feature in Windows XP helps protect your
Internet connection by blocking unsolicited incoming traffic. We recommend
that you block all unsolicited incoming communication from the Internet.

To enable the Windows Firewall feature by using the Network Setup Wizard,
follow these steps:

* Click Start, and then click Control Panel.
* Double-click Network Connections and then click Change Windows Firewall
settings.
* On the General tab, ensure that the On (recommended) value is selected.
This will enable the Windows Firewall.
* Once the Windows Firewall is enabled, select Don t allow exceptions to
prohibit all incoming traffic.

If you want to enable certain programs and services to communicate through
the firewall, de-select Don t allow exceptions and click the Exceptions
tab. On the Exceptions tab, select the programs, protocols, and services
you want to enable.

* To help protect from network-based attempts to exploit this
vulnerability, block the affected ports by using IPSec on the affected
systems.

Use Internet Protocol security (IPSec) to help protect network
communications. Detailed information about IPSec and about how to apply
filters is available in <http://support.microsoft.com/kb/313190>
Microsoft Knowledge Base Article 313190 and
<http://support.microsoft.com/kb/813878> Microsoft Knowledge Base Article
813878.

Disable the SNMP service

Disabling the SNMP service will help protect the affected system from
attempts to exploit this vulnerability. To disable the SNMP service,
follow these steps:

1. Click Start, and then click Control Panel. Alternatively, point to
Settings, and then click Control Panel.

2. Double-click Administrative Tools.

3. Double-click Services.

4. Double-click SNMP Service.

5. In the Startup type list, click Disabled.

6. Click Stop, and then click OK.

You can also stop and disable the SNMP service by using the following
command at the command prompt:

sc stop SNMP & sc config SNMP start= disabled

Impact of Workaround: If you disable the SNMP service, you may not be able
to monitor systems via SNMP.


FAQ for SNMP Memory Corruption Vulnerability - CVE-2006-5583:

What is the scope of the vulnerability?
A remote code execution vulnerability exists in SNMP Service that could
allow an attacker who successfully exploited this vulnerability to take
complete control of the affected system.

What causes the vulnerability?

An unchecked buffer in the SNMP service.

What is SNMP?
Simple Network Management Protocol (
<http://search.msdn.microsoft.com/search/Redirect.aspx?title=SNMP+Functions+%5bSNMP%5d&url=http://msdn.microsoft.com/library/en-us/snmp/snmp/snmp_functions.asp> SNMP) allows administrators to remotely manage network devices such as servers, workstations, routers, bridges, firewalls, and so forth. SNMP is an industry-standard protocol, which allows devices made by many different vendors to be managed via the protocol.

What is the SNMP Service?
The SNMP service allows incoming (Simple Network Management Protocol) SNMP
requests to be serviced by the local computer. SNMP includes agents that
monitor activity in network devices and report to the network console
workstation.

How do I know if the SNMP Service is installed on my system?
You can confirm the installation of the SNMP service on your system by
doing the following:

1. Click Start, and then click Run.

2. In the Open box, type services.msc and then click OK.

3. Search for the SNMP Service in the list of Services.

If the SNMP Service is listed then it has been installed.

How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially
crafted message and sending the message to an affected system. The message
could then cause the affected system to execute code.

What systems are primarily at risk from the vulnerability?
Microsoft Windows systems are primarily at risk from this vulnerability.

Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the
Internet. Firewall best practices and standard default firewall
configurations can help protect against attacks that originate from the
Internet. Microsoft has provided information about how you can help
protect your PC. End users can visit the Protect Your PC Web site. IT
professionals can visit the Security Guidance Center Web site.

What does the update do?
The update removes the vulnerability by modifying the way that SNMP
Service validates the length of a message before it passes the message to
the allocated buffer.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.


ADDITIONAL INFORMATION

The original article can be found at:
<http://www.microsoft.com/technet/security/bulletin/MS06-074.mspx>
http://www.microsoft.com/technet/security/bulletin/MS06-074.mspx



========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@xxxxxxxxxxxxxx
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@xxxxxxxxxxxxxx


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.



Relevant Pages

  • SecurityFocus Microsoft Newsletter #61
    ... Cisco 12000 Series Internet Router Denial Of Service Vulnerability ... Microsoft Windows 2000 RunAs Service Named Pipe Hijacking... ... Reach the LARGEST audience of security professionals with SecurityFocus ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #242
    ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
    (Focus-Microsoft)
  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
    (Securiteam)
  • [NT] Korean Input Method Editor Privileges Elevation (MS06-009)
    ... Get your security news from a reliable source. ... vulnerability exists in the Windows and Office Korean Input Method Editor ... Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ... If Remote Desktop is manually enabled, ...
    (Securiteam)