__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Vulnerability in the Windows Internet Naming Service (WINS) [MS04-006] February 10, 2004 20:00 GMT Number O-077 ______________________________________________________________________________ PROBLEM: A security vulnerability exists in the Windows Internet Naming Service (WINS) because of the method that WINS uses to validate the length of packets. PLATFORM: Microsoft Windows NT Server 4.0 Service Pack 6a Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 Microsoft Windows 2000 Server Service Pack 2, Microsoft Windows 2000 Server Service Pack 3, Microsoft Windows 2000 Professional Service Pack 4 Microsoft Windows Server 2003 Microsoft Windows Server 2003 64-Bit Edition DAMAGE: An attacker who sent a series of specially-crafted packets to a WINS server could cause the service to fail. SOLUTION: Install the patch. ______________________________________________________________________________ VULNERABILITY The risk is LOW. An attacker could shut down the local WINS ASSESSMENT: server (Denial of Service). ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/o-077.shtml ORIGINAL BULLETIN: Microsoft Security Bulletin MS04-006 http://www.microsoft.com/technet/security/bulletin /MS04-006.asp CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2003-0825 ______________________________________________________________________________ [***** Start MS04-006 *****] Microsoft Security Bulletin MS04-006 Vulnerability in the Windows Internet Naming Service (WINS) Could Allow Code Execution (830352) Issued: February 10, 2004 Version Number: 1.0 Summary Who should read this document: Customers who are using Microsoft® Windows Internet Naming Service (WINS)® Impact of vulnerability: Remote Code Execution Maximum Severity Rating: Important Recommendation: WINS server administrators should install the patch at the earliest opportunity. Security Update Replacement: None Caveats: None Tested Software and Security Update Download Locations: Affected Software * Microsoft Windows NT® Server 4.0 Service Pack 6a - Download the update * Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Download the update * Microsoft Windows 2000 Server Service Pack 2, Microsoft Windows 2000 Server Service Pack 3, Microsoft Windows 2000 Server Service Pack 4 - Download the update * Microsoft Windows Server™ 2003 - Download the update * Microsoft Windows Server 2003 64-Bit Edition - Download the update Non Affected Software * Microsoft Windows NT® Workstation 4.0 Service Pack 6a * Microsoft Windows 2000 Professional Service Pack 2, Microsoft Windows 2000 Professional Service Pack 3, Microsoft Windows 2000 Professional Service Pack 4 * Microsoft Windows XP, Microsoft Windows XP Service Pack 1 * Microsoft Windows XP 64-Bit Edition, Microsoft Windows XP 64-Bit Edition Service Pack 1 * Microsoft Windows XP 64-Bit Edition Version 2003, Microsoft Windows XP 64-Bit Edition Version 2003 Service Pack 1 The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. Review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version. Technical Details Technical description: A security vulnerability exists in the Windows Internet Naming Service (WINS). This vulnerability exists because of the method that WINS uses to validate the length of specially-crafted packets. On Windows Server 2003 this vulnerability could allow an attacker who sent a series of specially-crafted packets to a WINS server to cause the service to fail. Most likely, this could cause a denial of service, and the service would have to be manually restarted to restore functionality. The possibility of a denial of service on Windows Server 2003 results from the presence of a security feature that is used in the development of Windows Server 2003. This security feature detects when an attempt is made to exploit a stack-based buffer overrun and reduces the chance that it can be easily exploited. This security feature can be forced to terminate the service to prevent malicious code execution. On Windows Server 2003, when an attempt is made to exploit the buffer overrun, the security feature reacts and terminates the service. This results in a denial of service condition of WINS. Because it is possible that methods may be found in the future to bypass this security feature, which could then enable code execution, customers should apply the update. For more information about these security features, visit the following Web site. On Windows NT and Windows 2000, the nature of the vulnerability is slightly different. WINS will reject the specially-crafted packet and the attack does not result in a denial of service. The vulnerability on these platforms also does not allow code execution. Microsoft is releasing a security update for these platforms that corrects the vulnerable code as a preventive measure to help protect these platforms in case methods are found in the future to exploit this vulnerability. Mitigating factors: The WINS service is not installed by default. On Windows Server 2003, WINS automatically restarts if it fails. After the third automatic restart, WINS requires a manual restart to restore functionality. On Windows 2000 and Windows NT 4.0, WINS contains the vulnerable code. However, on these platforms this issue does not cause a denial of service. The vulnerability would not enable an attacker to gain any privileges on an affected system. Under the most likely attack scenario, this issue is strictly a denial of service. Firewall best practices and standard default firewall configurations can help protect networks from remote attacks that originate outside the enterprise perimeter. Best practices recommend blocking all ports that are not being used. In most network configurations, the WINS server is not available for connection from over the Internet. Severity Rating: Microsoft Windows NT 4.0 Low Microsoft Windows NT Server 4.0 Terminal Server Edition Low Microsoft Windows 2000 Low Microsoft Windows Server 2003 Important The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0825 Workarounds Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability. However, they help block known attack vectors. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below. Block TCP port 42 and UDP 137 at your firewall. These ports are used to initiate a connection with a remote WINS server. Blocking these ports at the firewall will help prevent systems that are behind that firewall from being attacked by attempts to exploit this vulnerability. It is possible that other ports may be found that could be used to exploit this vulnerability. The ports that are listed are the most common attack vectors. Microsoft recommends blocking all inbound unsolicited communication from the Internet. Remove WINS if you do not need it: In many organizations, WINS only provides services for legacy systems. If WINS is no longer needed, you could remove it by following this procedure. These steps apply only to Windows 2000 and later. For Windows NT 4.0, follow the procedure that is included in the product documentation. To configure WINS components and services: 1. In Control Panel, open Add or Remove Programs. 2. Click Add/Remove Windows Components. 3. On the Windows Components Wizard page, under Components, click Networking Services, and then click Details. 4. Click to clear the Windows Internet Naming Service (WINS) check box to remove WINS. 5. Complete the Windows Components Wizard by following the instructions on the screen. Impact of Workaround: Many organizations require WINS to perform name registration and name resolution functions on their network. Administrators should not remove WINS unless they fully understand the affect that doing so will have on their network. For more information about WINS, see the WINS product documentation. Also, if an administrator is removing the WINS functionality from a server that will continue to provide shared resources on the network, the administrator must correctly reconfigure the system to use the remaining name resolution services within the local network. Acknowledgments Microsoft thanks the following for working with us to help protect customers: Qualys for reporting the issue in MS04-006. Obtaining other security updates: Updates for other security issues are available from the following locations: Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Updates for consumer platforms are available from the WindowsUpdate Web site. Support: Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates. International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web Site. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Microsoft Software Update Services Microsoft Baseline Security Analyzer (MBSA) Windows Update Windows Update Catalog: Please view Knowledge Base Article 323166 for more information on the Windows Update Catalog. Office Update Software Update Services (SUS): Microsoft Software Update Services (SUS) enables administrators to quickly and reliably deploy the latest critical updates and security updates to Windows® 2000 and Windows Server™ 2003-based servers, as well as to desktop computers running Windows 2000 Professional or Windows XP Professional. For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site. Systems Management Server (SMS): Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. For detailed information about the many enhancements to the security update deployment process that SMS 2003 provides, please visit the SMS 2003 Security Patch Management Web site. For users of SMS 2.0, it also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer. Note: The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 February 10, 2004: Bulletin published. [***** End MS04-006 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) CIACTech04-001: Remote Detection of the MyDoom.A Worm O-068: Microsoft Internet Explorer Cumulative Patch O-069: Sun kcms_server Daemon Vulnerability O-070: Sun Basic Security Module (BSM) Vulnerability O-071: Debian kernel-patch-2.4.17-mips Interger Overflow O-072: Check Point FireWall-1 HTTP Security Server Vulnerability O-073: Check Point VPN-1 Server and VPN Client Buffer Overflow Vulnerability O-074: Red Hat Cross-site Scripting Vulnerability in Mailman Package O-075: RealPlayer / RealOne Player Buffer Overrun Vulnerabilities O-076: MS Vulnerability in Virtual PC for Mac