__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Vulnerabilities in TCP-IP (893066) [Microsoft Security Bulletin MS05-019] April 12, 2005 21:00 GMT Number P-177 [REVISED 13 Apr 2005] [REVISED 12 May 2005] [REVISED 02 Jun 2005] [REVISED 15 Jun 2005] [REVISED 20 Jun 2005] [REVISED 29 Jun 2005] [REVISED 11 Jul 2005] [REVISED 25 Jul 2005] [REVISED 17 Aug 2005] [REVISED 05 Oct 2005] [REVISED 07 Dec 2005] [REVISED 01 Dec 2006] [REVISED 08 Dec 2006] ______________________________________________________________________________ PROBLEM: There are several vulnerabilities in TCP/IP: 1) IP Validation; 2) ICMP Connection Reset Vulnerability; 3) ICMP Path MTU Vulnerability; 4) TCP Connection Reset Vulnerability; and 5) Spoofed Connection Request Vulnerability. PLATFORM: Tested Software and Security Update Download Locations: Affected Software: -Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 -Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 -Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) -Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) -Microsoft Windows Server 2003 -Microsoft Windows Server 2003 for Itanium-based Systems -Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) - Review the FAQ section of this bulletin for details about these operating systems. SPARC Platform Solaris 7, 8, 9, 10 x86 Platform Solaris 7, 8, 9, 10 HP-UX B.11.00, B.11.04, B.11.11, B.11.22, B.11.23 running TCP/IP HP-UX B.11.11 and B.11.23 running TOUR (Transport Optional Upgrade Release) HP Tru64 UNIX 5.1B-3, 5.1B-2/PK4, 5.1A PK, 4.0G PK4, 4.0F PK8 DAMAGE: Could allow an attacker to send a specially crafted IP message to an affected systems. SOLUTION: Upgrade to the appropriate versions. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Could cause the affected system to remotely ASSESSMENT: execute code. However, attempts to exploit these vulnerabilities would most likely result in a Denial of Service. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/p-177.shtml ORIGINAL BULLETIN: Microsoft Security Bulletin MS05-019 (893066) http://www.microsoft.com/technet/security/bulletin/ms05-019.mspx ADDITIONAL LINKS: Sun Alert ID: 101658 (formerly 57746) http://www.sunsolve.sun.com/search/document.do?assetkey=1-26-57746-1&searchclause=%22category:security%22%20%22availability,%20security%22 Visit HP's website for their security bulletin: HPSBUX01164 / SSRT 4884 rev. 8 and HPSBTU01210 / SSRT4743 / SSRT4884 rev. 1 CVE/CAN: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CAN-2005-0048 CAN-2004-0790 CAN-2004-0230 CAN-2005-0688 ______________________________________________________________________________ REVISION HISTORY: 04/13/2005 - revised to add a link to Sun Alert ID: 57746 for SPARC Platform Solaris 7, 8, 9, 10 and x86 Platform Solaris 7, 8, 9, and 10. 05/12/2005 - revised to note changes to Microsoft's Security Bulletin MS05-019 that advises customers of the planned re-release of this update in June. The June update focuses on resolving network connectivity issues that some customers experienced after installing this security update (MS05-019). 06/02/2005 - added a link to HP's Security Bulletin that provides updates addressing the ICMP vulnerabilities described in CAN-2004-0790 and CAN-2004-1060. 06/15/2005 - revised to update the changes Microsoft has made in MS05-019. 06/20/2005 - revised to note changes to HP's Security Bulletin HPSBUX01164, SSRT4884 that includes additional vulnerable software versions B.11.11 and B.11.23 running TOUR. 06/29/2005 - revised to note changes to HP's Security Bulletin HPSBUX01164, SRT4884 where they have put out rev. 3 for PHNE_33159 is available for B.11.11. 07/11/2005 - revised to note changed to HP's Security Bulletin HPSBUX01164, SRT4884 where they have put out rev. 4 for PHNE_32606 is available for B.11.13. 07/25/2005 - revised to note changed to HP's Security Bulletin HPSBUX01164, SRT4884 where they have put out rev. 5 for PHNE_33395 is available for B.11.00. 08/17/2005 - updated Security Bulletin HPSBUX01164 / SSRT4884, provides patches for B.11.04. 10/05/2005 - to added a reference to HP Security Bulletin HPSBTU01210 / SSRT4743 / SSRT4884 rev 1 that provides updated patches for HP Tru64 UNIX 5.1B-3, 5.1B-2/PK4, 5.1A PK, 4.0G PK4, 4.0F PK8. 12/07/2005 - added a reference to HP's revisions to HPSBUX01164 / SSRT4884 that announces the availability of TOUR 3.0. 12/01/2006 - updated to note that Sun Alert ID: 101658 (formerly 57746) updated its Contributing Factors and Resolution sections 12/08/2006 - updated to note that Sun Alert ID: 101658 (formerly 57746) updated its Contributing Factors and Resolution sections and changed its State to "Resolved" [***** Start Microsoft Security Bulletin MS05-019 *****] Microsoft Security Bulletin MS05-019 Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service (893066) Issued: April 12, 2005 Updated: June 14, 2005 Version: 2.0 Summary Who should read this document: Customers who use Microsoft Windows Impact of Vulnerability: Remote Code Execution Maximum Severity Rating: Critical Recommendation: Customers should apply the update immediately. Security Update Replacement: None. Caveats: Microsoft Knowledge Base Article 893066 documents the currently known issues that customers may experience when they install this security update. The article also documents recommended solutions for these issues. For more information, see Microsoft Knowledge Base Article 893066. Tested Software and Security Update Download Locations: Affected Software: • Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 – Download the update • Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 – Download the update • Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) – Download the update • Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) – Download the update • Microsoft Windows Server 2003 – Download the update • Microsoft Windows Server 2003 for Itanium-based Systems – Download the update • Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) – Review the FAQ section of this bulletin for details about these operating systems. Non-Affected Software: • Microsoft Windows Server 2003 Service Pack 1 • Microsoft Windows Server 2003 with SP1 for Itanium-based Systems • Microsoft Windows Server 2003 x64 Edition • Microsoft Windows XP Professional x64 Edition The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site. General Information Executive Summary Executive Summary: This update resolves several newly-discovered, privately-reported and public vulnerabilities. Each vulnerability is documented in this bulletin in its own “Vulnerability Details” section. An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. However, an attacker who successfully exploited the most severe of these vulnerabilities would most likely cause the affected system to stop responding. We recommend that customers apply the update immediately. Severity Ratings and Vulnerability Identifiers: Vulnerability Identifiers Impact of Vulnerability Windows 98, 98 SE, ME Windows 2000 Windows XP Service Pack 1 Windows XP Service Pack 2 Windows Server 2003 IP Validation Vulnerability - CAN-2005-0048 Remote Code Execution Not Critical Critical Critical None None ICMP Connection Reset Vulnerability - CAN-2004-0790 Denial of Service Not Critical Moderate Moderate Moderate Moderate ICMP Path MTU Vulnerability - CAN-2004-1060 Denial of Service Not Critical Moderate Moderate Moderate Moderate TCP Connection Reset Vulnerability - CAN-2004-0230 Denial of Service Not Critical Low Low None Low Spoofed Connection Request Vulnerability - CAN-2005-0688 Denial of Service None None None Low Low Aggregate Severity of All Vulnerabilities Not Critical Critical Critical Moderate Moderate This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Note The severity ratings for non x86 operating system versions map to the x86 operating systems versions as follows: • The Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) severity rating is the same as Windows XP Service Pack 1 severity rating. • The Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) severity rating is the same as Windows XP Service Pack 1 severity rating. • The Microsoft Windows Server 2003 for Itanium-based Systems severity rating is the same as Windows Server 2003 severity rating. Security Update Information Affected Software: For information about the specific security update for your affected software, click the appropriate link: * Windows Server 2003 (all versions) * Windows XP (all versions) * Windows 2000 (all versions) Acknowledgments Microsoft thanks the following for working with us to help protect customers: • Song Liu, Hongzhen Zhou, and Neel Mehta of ISS X-Force for reporting the IP Validation Vulnerability (CAN-2005-0048). • Fernando Gont of Argentina's Universidad Tecnologica Nacional/Facultad Regional Haedo, for working with us responsibly on the ICMP Connection Reset Vulnerability (CAN-2004-0790) and the ICMP Path MTU Vulnerability (CAN-2004-1060). • Qualys for reporting the ICMP Path MTU Vulnerability (CAN-2004-1060). Obtaining Other Security Updates: Updates for other security issues are available at the following locations: • Security updates are available in the Microsoft Download Center. You can find them most easily by doing a keyword search for "security_patch." • Updates for consumer platforms are available at the Windows Update Web site. Support: • Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. • International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site. Security Resources: • The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. • Microsoft Software Update Services • Microsoft Baseline Security Analyzer (MBSA) • Windows Update • Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166. • Office Update Software Update Services: By using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional. For more information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site. Systems Management Server: Microsoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows- based systems that require security updates and can perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site. Note SMS uses the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: • V1.0 (April 12, 2005): Bulletin published • V1.1 (May 11, 2005): Microsoft updated this bulletin today to advise customers that we plan to re-release the MS05-019 security update in June, 2005. Until the re-release of this security update is available, customers experiencing the symptoms described in Microsoft Knowledge Base Article 898060 should follow the documented instructions to address this issue. If you are not experiencing this network connectivity issue we recommend that you install the currently available security update to help protect against the vulnerabilities described in this security bulletin. • V2.0 (June 14, 2005): Microsoft updated this bulletin today to advise customers that a revised version of the security update is available. We recommend installing this revised security update even if you have installed the previous version. The revised security update will be available through Windows Update, Software Update Services (SUS), and will be recommended by the Microsoft Baseline Security Analyzer (MBSA). [***** End Microsoft Security Bulletin MS05-019 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) P-165: libXpm Integer Overflow Flaw P-167: cURL Security Update P-166: Sybase Security Issues in ASE 12.5.3 and Earlier P-168: Mozilla Security Update P-169: Cisco Security Advisory: Vulnerabilities in the Internet Key Exchange Xauth Implementation P-170: Cisco Security Advisory: Vulnerabilities in Cisco IOS Secure Shell Server P-171: SGI Advanced Linux Environment 3 Security Update #33 P-172: SGI IRIX gr_osview File Overwrite Vulnerabilities P-173: Cumulative Security Update for Internet Explorer (890923) P-174: Vulnerability in Exchange Server (894549) P-175: Vulnerability in MSN Messenger (896597) P-176: Vulnerabilities in Microsoft Word (890169)