|
Vulnerability in Network Connection Manager Allows |
|
|
|
|
Thursday, 13 October 2005 |
Summary
A denial of service vulnerability exists that could allow an attacker to send a specially crafted network packet to an affected Windows system. An attacker who successfully exploited this vulnerability could cause the component responsible for managing network and remote access connections to stop responding. If the affected component is stopped due to an attack, it will automatically restart when new requests are received.
Credit:
The information has been provided by Microsoft Product Security.
The original article can be found at: http://www.microsoft.com/technet/security/bulletin/MS05-045.mspx
Details
Affected Software:
* Microsoft Windows 2000 Service Pack 4 - Download the update
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 - Download the update
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1 - Download the update
Non-Affected Software:
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
CVE Information:
CAN-2005-2307
Mitigating Factors for Network Connection Manager Vulnerability:
* On Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, the affected component is not vulnerable remotely. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability.
* On Windows 2000, Windows XP Service Pack 1, and Windows Server 2003, an attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not exploited by anonymous users. However, the affected component is available remotely to users who have standard user accounts. In certain configurations, anonymous users could authenticate as the Guest account. For more information, see Microsoft Security Advisory 906574.
* Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Workarounds for Network Connection Manager Vulnerability:
* Block the following at the enterprise perimeter firewall:
o UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
o All unsolicited inbound traffic on ports greater than 1024
o Any other specifically configured RPC port
o If installed, COM Internet Services (CIS) or RPC over HTTP, which listen on ports 80 and 443
These ports could be used to initiate a connection with affected systems. Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability that originate outside the enterprise perimeter. Also, make sure that you block any other specifically configured RPC port on the remote system. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports that RPC uses, visit the following Web site. For more information about how to disable CIS, see Microsoft Knowledge Base Article 825819.
What is the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited this vulnerability could cause the component responsible for managing network and remote access connections to stop responding. If the affected component is stopped due to an attack, it will automatically restart when new requests are received. Note that the denial of service vulnerability would not allow an attacker to execute code or to elevate their user rights, but it could cause the affected system to stop accepting requests.
What causes the vulnerability?
An unchecked buffer in the Network Connection Manager.
What is Network Connection Manager?
The Network Connection Manager is an operating system component that provides a means of controlling a systems network connections, such as those seen in the Network and Dial-Up Connections folder. When a user makes a new network connection, such as through the dial-up networking wizard, the Network Connection Manager processes the request to make the connection.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause the component responsible for managing network and remote access connections to stop responding. If the affected component is stopped due to an attack, it will automatically restart when new requests are received.
Who could exploit the vulnerability?
On Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1, the affected component is not vulnerable remotely. An attacker must have valid logon credentials and be able to log on locally to exploit this vulnerability. On Windows 2000, Windows XP Service Pack 1, and Windows Server 2003, an attacker must have valid logon credentials to exploit this vulnerability. The vulnerability could not be exploited by anonymous users. However, remote authenticated users could attempt to exploit this vulnerability. In certain configurations, anonymous users could authenticate as the Guest account. For more information, see Microsoft Security Advisory 906574.
How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by creating a specially crafted request and sending the request to the affected component. If the affected component is stopped due to an attack, it will automatically restart when new requests are received.
What systems are primarily at risk from the vulnerability?
Windows 2000, Windows XP Service Pack 1 and Windows Server 2003 systems are primarily at risk from this vulnerability. Servers could be at more risk if users who do not have sufficient administrative permissions are given the ability to log on to servers and to run programs. However, best practices strongly discourage allowing this.
Could the vulnerability be exploited over the Internet?
No. An attacker must be able to authenticate to the specific system that is targeted for attack. An attacker cannot load and run a program remotely by using this vulnerability.
What does the update do?
The update removes the vulnerability by modifying the way that the Network Connection Manager validates the length of a message before it passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed and was previously assigned Common Vulnerability and Exposure number CAN-2005-2307.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had seen examples of proof of concept code published publicly but had not received any information to indicate that this vulnerability had been publicly used to attack customers when this security bulletin was originally issued.
Does applying this security update help protect customers from the code that has been published publicly that attempts to exploit this vulnerability?
Yes. This security update addresses the proof of concept code that has been published that attempts to exploit this issue. The vulnerability that has been addressed has been assigned the Common Vulnerability and Exposure number CAN-2005-2307.
|