__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Buffer Overrun Vulnerability in Workstation Service [Microsoft Security Bulletin MS03-049] November 11, 2003 19:00 GMT Number O-022 [REVISED 29 Jan 2004] ______________________________________________________________________________ PROBLEM: Because of an unchecked buffer, a security vulnerability exists in the Workstation service that could allow remote code execution on an affected system. The Workstation service provides the connectivity to shared files and printers on a network and single sign-on for a computer in a Windows domain. PLATFORM: Microsoft Windows 2000 Service Pack 2, 3, and 4 NOTE: The Windows 2000 security update that is released as part of this security bulletin contains updated files that were not part of the MS03-043 (828035) security bulletin. Customers have to apply this Windows 2000 security update even if they applied the Windows 2000 security updates for MS03-043 (828035). (CIAC Bulletin O-004) Microsoft Windows XP, Microsoft Windows XP Service Pack 1 Microsoft Windows XP 64-Bit Edition NOTE: The Windows XP security updates that released on October 15th as part of Security Bulletin MS03-043 (828035) include the updated file that helps protect from this vulnerability. If you have applied the Windows XP security updates for MS03-043 (828035) you do not have to reapply this update. (CIAC Bulletin O-004) See Cisco Security Advisory Document ID:48161 for a complete listing of Affected Applications. DAMAGE: A remote attacker would be able to run code with System privileges or could cause the Workstation service to fail. SOLUTION: Networked computers that are part of a Windows domain or that share folders with others should deploy this patch. Stand alone systems that do not share folders can alternatingly disable the Workstation service. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. The attacker could install programs, view, ASSESSMENT: change, or delete data, or create new accounts with full privileges. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-022.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp?url= /technet/security/bulletin/ms03-049.asp ADDITIONAL LINK: Cisco Security Advisory Document ID: 48161 http://www.cisco.com/warp/public/707/cisco-sa-20040129-ms03-049.shtml CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2003-0812 ______________________________________________________________________________ REVISION HISTORY: 01/29/04 - added a link to Cisco Security Advisory Document ID: 48161. [***** Start Microsoft Security Bulletin MS03-049 *****] Microsoft Security Bulletin MS03-049 Buffer Overrun in the Workstation Service Could Allow Code Execution (828749) Issued: November 11, 2003 Version Number: 1.0 See all Windows bulletins released November, 2003 Summary Who Should Read This Document: Customers using Microsoft® Windows® Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Critical Recommendation: Systems administrators should apply the patch immediately. Security Update Replacement: None Caveats: None Tested Software and Security Update Download Locations: Affected Software Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 – Download the update Microsoft Windows XP, Microsoft Windows XP Service Pack 1 – Download the update Microsoft Windows XP 64-Bit Edition – Download the update Note: The Windows XP security updates that released on October 15th as part of Security Bulletin MS03-043 (828035) include the updated file that helps protect from this vulnerability. If you have applied the Windows XP security updates for MS03-043 (828035) you do not have to reapply this update. However, the Windows 2000 security update that is released as part of this security bulletin contains updated files that were not part of the MS03-043 (828035) security bulletin. Customers have to apply this Windows 2000 security update even if they applied the Windows 2000 security updates for MS03-043 (828035). Non Affected Software Microsoft Windows NT Workstation 4.0, Service Pack 6a Microsoft Windows NT Server 4.0, Service Pack 6a Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 Microsoft Windows Millennium Edition Microsoft Windows XP 64-Bit Edition Version 2003 Microsoft Windows Server 2003 Microsoft Windows Server 2003 64-Bit Edition The software listed above has been tested to determine if the versions are affected. Other versions are no longer supported, and may or may not be affected. Technical Details Technical description: A security vulnerability exists in the Workstation service that could allow remote code execution on an affected system. This vulnerability results because of an unchecked buffer in the Workstation service. If exploited, an attacker could gain System privileges on an affected system, or could cause the Workstation service to fail. An attacker could take any action on the system, including installing programs, viewing data, changing data, or deleting data, or creating new accounts with full privileges. Mitigating factors: - If users have blocked inbound UDP ports 138, 139, 445 and TCP ports 138, 139, 445 by using a firewall an attacker would be prevented from sending messages to the Workstation service. Most firewalls, including Internet Connection Firewall in Windows XP, block these ports by default. - Disabling the Workstation service will prevent the possibility of attack. However there are a number of impacts when performing this workaround. Please see the Workaround section for more details. Only Windows 2000 and Window XP are affected. Other operating systems are not vulnerable to this attack. Severity Rating: Microsoft Windows 2000 Critical Microsoft Windows XP Critical The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0812 Workarounds Microsoft has tested the following workarounds that apply to this vulnerability. These workarounds help block known attack vectors, however they will not correct the underlying vulnerability. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below. - Block UDP ports 138, 139, 445 and TCP ports 138, 139, 445 at your firewall. These ports are used to accept a Remote Procedure Call (RPC) connection at a remote computer. Blocking them at the firewall will help prevent systems behind that firewall from being attacked by attempts to exploit this vulnerability. - Use a personal firewall such as Internet Connection Firewall, which is included with Windows XP. If you use the Internet Connection Firewall feature in Windows XP to help protect your Internet connection, Internet Connection Firewall blocks inbound traffic from the Internet or from the intranet by default. To enable the Internet Connection Firewall feature by using the Network Setup Wizard: 1. Click Start, and then click Control Panel. 2. In the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your computer is connected directly to the Internet. To configure Internet Connection Firewall manually for a connection: 1. Click Start, and then click Control Panel. 2. In the default Category View, click Networking and Internet Connections, and then click Network Connections. 3. Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties. 4. Click the Advanced tab. 5. Select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK. Note: If you want to enable the use of some applications and services through the firewall, click Settings on the Advanced tab, and then select the programs, the protocols, and the services. - Enable advanced TCP/IP filtering on Windows 2000-based systems and on Windows XP-based systems. You can enable advanced TCP/IP filtering to block all unsolicited, inbound traffic. For additional information about how to configure TCP/IP filtering, click the following article number to view the article in the Microsoft Knowledge Base: 309798 HOW TO: Configure TCP/IP Filtering in Windows 2000 - Disable the Workstation service. You can disable the Workstation service to help prevent the possibility of an attack. To disable the Workstation service on Windows XP: - Click Start, and then click Control Panel. - In the default Category View, click Performance and Maintenance. - Click Administrative Tools. - Double-click Services. - Double-click Workstation. - On the General tab, click Disabled in the Startup type list. - Click Stop under Service status, and then click OK. To disable the Workstation service on Windows 2000: - Click Start, point to Settings, and then click Control Panel. - Double-click Administrative Tools. - Double-click Services. - Double-click Workstation. - On the General tab, click Disabled in the Startup type list. - Click Stop under Service status, and then click OK. Impact of Workaround: If the Workstation service is disabled, the system cannot connect to any shared file resources or shared print resources on a network. Only use this workaround on stand-alone systems (such as many home systems) that do not connect to a network. If the Workstation service is disabled, any services that explicitly depend on the Workstation service do not start, and an error message is logged in the system event log. The following services depend on the Workstation service: - Alerter - Browser - Messenger - Net Logon - RPC Locator These services are required to access resources on a network and to perform domain authentication. Internet connectivity and browsing for stand-alone systems, such as users on dial-up connections, on DSL connections, or on cable modem connections, should not be affected if these services are disabled. Note: The Microsoft Baseline Security Analyzer will not function if the Workstation service is disabled. It is possible that other applications may also require the Workstation service. If an application requires the Workstation service, simply re-enable the service. This can be performed by changing the Startup Type for the Workstation service back to Automatic and restarting the system. Security Update Information Windows XP (all versions) Windows 2000 (all versions) Acknowledgments Microsoft thanks the following for working with us to protect customers: eEye Digital Security for reporting the issue in MS03-049. Obtaining other security updates: Updates for other security issues are available from the following locations: Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Updates for consumer platforms are available from the WindowsUpdate web site Support: Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls associated with security patches. International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at http://support.microsoft.com/common/international.aspx Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Microsoft Software Update Services: http://www.microsoft.com/sus/">http://www.microsoft.com/sus/"> http://www.microsoft.com/sus/ Microsoft Baseline Security Analyzer (MBSA) details: http://www.microsoft.com/technet/security/tools/mbsahome.asp. Please see http://support.microsoft.com/default.aspx?scid=kb;EN-US;306460 for list of security updates that have detection limitations with MBSA tool. Windows Update Catalog: http://support.microsoft.com/default.aspx?scid=kb;EN-US;323166 Windows Update: http://windowsupdate.microsoft.com Office Update: http://office.microsoft.com/officeupdate/ Software Update Services (SUS): Microsoft Software Update Services (SUS) enables administrators to quickly and reliably deploy the latest critical updates and security updates to Windows® 2000 and Windows Server™ 2003-based servers, as well as to desktop computers running Windows 2000 Professional or Windows XP Professional. For information about how to deploy this security patch with Software Update Services, visit the following Microsoft Web site: http://www.microsoft.com/sus/ Systems Management Server (SMS): Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. SMS also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer. Note: The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (November 11, 2003): Bulletin published [***** End Microsoft Security Bulletin MS03-049 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft Corporation for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) O-013: Buffer Overflow in Oracle Binary O-014: SGI Wildcard Exportfs Issue in Network File SYstem (NFS) O-015: Apache HTTP Server 2.0.48 Release Fixes Security Vulnerabilities O-016: Apache HTTP Server 1.3.29 Release Fixes Security Vulnerability O-017: SQL Injection Vulnerability in Oracle9i Application Server O-018: Hewlett Packard Java VM Classloader (J2SE) O-019: Hewlett Packard NLSPATH may contain any path O-020: Sun Buffer Overflow Vulnerability in the CDE DtHelp Library O-021: Microsoft Cumulative Security Update for Internet Explorer