[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200404141751.18321.security@nsfocus.com>
From: security at nsfocus.com (NSFOCUS Security Team)
Subject: NSFOCUS SA2004-01 : DoS Vulnerability in Microsoft Windows SPNEGO Protocol Decoding
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Topic: DoS Vulnerability in Microsoft Windows SPNEGO Protocol Decoding
Release Date: 2004-04-14
CVE CAN ID: CAN-2004-0119
http://www.nsfocus.com/english/homepage/research/0401.htm
Affected Software and Systems:
===================
- - Microsoft Windows XP
- - Microsoft Windows 2000
- - Microsoft Windows 2003
Unaffected Software and Systems:
===================
- - Microsoft Windows 9x
- - Microsoft Windows NT
Summary:
=========
NSFOCUS Security Team has found there is a remote DoS vulnerability in the
SPNEGO protocol decoding function of Microsoft Windows system. Exploiting
the vulnerability remote attackers could cause Windows system to crash or
malfunction.
Description:
============
Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol is used
to negotiate which security mechanism should be adopted. Windows system
allows various authentication mechanisms, it also uses SPNEGO protocol to
implement the authentication mechanism negotiation between the clients and
servers.
There is a security vulnerability when Windows system handles SPNEGO protocol
codes, which allows attackers to launch DoS attacks.
When a carefully crafted SPNEGO NegTokenInit request is sent, a null pointer
reference error might occur in LSASRV.DLL, resulting in LSASS.EXE crash. This
will make all the operations related to system authentication (such as
remote access to SMB share, or interactive local login) unavailable. For
Windows 2003, it will result in automatic shutting off or bluescreen.
Attackers can launch attacks through any service that uses SPNEGO, such as
TCP port 139, 445. By default IIS also negotiates which authentication
protocol (for example, NTLM, Kerberos, etc)should be adopted by SPNEGO,
therefore, it's possible for attackers to launch attacks through IIS.
- From vendor's response the same type of malformed request could still
have triggered a buffer overflow issue in the subsequent code, if they were
to have only fixed the DoS issue.
Vendor's patch fixes both the DoS and buffer overflow issues.
Workaround:
=============
* Restrict access to the following ports from untrusted IPs at the firewall:
445/UDP
139/TCP
445/TCP
* For the system that is providing WEB service through IIS, either of the
following methods can be used to mitigate the threat:
1. Disable "Integrated windows authentication" in IIS service
2. Disable authentication negotiation. Only allow authentication
through NTLM by the following command:
cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM"
adsutil.vbs can be found in the adminscripts directory of IIS.
More detail is available at:
http://support.microsoft.com/?id=215383
Vendor Status:
==============
2004.02.19 Informed the vendor
2004.02.19 Vendor confirmed the vulnerability
2004.04.13 Microsoft released a security bulletin (MS04-011) and relative
patches for the vulnerability.
Detailed information for the Microsoft security bulletin is available at:
http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx
Additional Information:
========================
The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CAN-2004-0119 to this issue. This is a candidate for inclusion in the
CVE list (http://cve.mitre.org), which standardizes names for security
problems. Candidates may change significantly before they become official
CVE entries.
Acknowledgment:
===============
The vulnerability was found by Chen Qing of NSFOCUS Security Team.
DISCLAIMS:
==========
THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY
OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED,
EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES,
EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE
ADVISORY IS NOT MODIFIED IN ANY WAY.
Copyright 1999-2004 NSFOCUS. All Rights Reserved. Terms of use.
NSFOCUS Security Team <security@...ocus.com>
NSFOCUS INFORMATION TECHNOLOGY CO.,LTD
(http://www.nsfocus.com)
PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc
Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 aF6DA
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQFAfQid1794d8am9toRAgZPAJ4oK0WsPHkNZfGXmC6gFLtt1lPoAwCeOyKC
b12vDNxRHHb/rhfZkm5IDTU=
=e1nI
-----END PGP SIGNATURE-----
Powered by blists - more mailing lists