-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Topic: DoS Vulnerability in Microsoft Windows SPNEGO Protocol Decoding Release Date: 2004-04-14 CVE CAN ID: CAN-2004-0119 http://www.nsfocus.com/english/homepage/research/0401.htm Affected Software and Systems: =================== - - Microsoft Windows XP - - Microsoft Windows 2000 - - Microsoft Windows 2003 Unaffected Software and Systems: =================== - - Microsoft Windows 9x - - Microsoft Windows NT Summary: ========= NSFOCUS Security Team has found there is a remote DoS vulnerability in the SPNEGO protocol decoding function of Microsoft Windows system. Exploiting the vulnerability remote attackers could cause Windows system to crash or malfunction. Description: ============ Simple and Protected GSS-API Negotiation Mechanism (SPNEGO) protocol is used to negotiate which security mechanism should be adopted. Windows system allows various authentication mechanisms, it also uses SPNEGO protocol to implement the authentication mechanism negotiation between the clients and servers. There is a security vulnerability when Windows system handles SPNEGO protocol codes, which allows attackers to launch DoS attacks. When a carefully crafted SPNEGO NegTokenInit request is sent, a null pointer reference error might occur in LSASRV.DLL, resulting in LSASS.EXE crash. This will make all the operations related to system authentication (such as remote access to SMB share, or interactive local login) unavailable. For Windows 2003, it will result in automatic shutting off or bluescreen. Attackers can launch attacks through any service that uses SPNEGO, such as TCP port 139, 445. By default IIS also negotiates which authentication protocol (for example, NTLM, Kerberos, etc)should be adopted by SPNEGO, therefore, it's possible for attackers to launch attacks through IIS. - From vendor's response the same type of malformed request could still have triggered a buffer overflow issue in the subsequent code, if they were to have only fixed the DoS issue. Vendor's patch fixes both the DoS and buffer overflow issues. Workaround: ============= * Restrict access to the following ports from untrusted IPs at the firewall: 445/UDP 139/TCP 445/TCP * For the system that is providing WEB service through IIS, either of the following methods can be used to mitigate the threat: 1. Disable "Integrated windows authentication" in IIS service 2. Disable authentication negotiation. Only allow authentication through NTLM by the following command: cscript adsutil.vbs set w3svc/NTAuthenticationProviders "NTLM" adsutil.vbs can be found in the adminscripts directory of IIS. More detail is available at: http://support.microsoft.com/?id=215383 Vendor Status: ============== 2004.02.19 Informed the vendor 2004.02.19 Vendor confirmed the vulnerability 2004.04.13 Microsoft released a security bulletin (MS04-011) and relative patches for the vulnerability. Detailed information for the Microsoft security bulletin is available at: http://www.microsoft.com/technet/security/bulletin/ms04-011.mspx Additional Information: ======================== The Common Vulnerabilities and Exposures (CVE) project has assigned the name CAN-2004-0119 to this issue. This is a candidate for inclusion in the CVE list (http://cve.mitre.org), which standardizes names for security problems. Candidates may change significantly before they become official CVE entries. Acknowledgment: =============== The vulnerability was found by Chen Qing of NSFOCUS Security Team. DISCLAIMS: ========== THE INFORMATION PROVIDED IS RELEASED BY NSFOCUS "AS IS" WITHOUT WARRANTY OF ANY KIND. NSFOCUS DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, EXCEPT FOR THE WARRANTIES OF MERCHANTABILITY. IN NO EVENT SHALL NSFOCUS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF NSFOCUS HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. DISTRIBUTION OR REPRODUCTION OF THE INFORMATION IS PROVIDED THAT THE ADVISORY IS NOT MODIFIED IN ANY WAY. Copyright 1999-2004 NSFOCUS. All Rights Reserved. Terms of use. NSFOCUS Security Team <security@private> NSFOCUS INFORMATION TECHNOLOGY CO.,LTD (http://www.nsfocus.com) PGP Key: http://www.nsfocus.com/homepage/research/pgpkey.asc Key fingerprint = F8F2 F5D1 EF74 E08C 02FE 1B90 D7BF 7877 C6A6 aF6DA -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.0.7 (GNU/Linux) iD8DBQFAfQid1794d8am9toRAgZPAJ4oK0WsPHkNZfGXmC6gFLtt1lPoAwCeOyKC b12vDNxRHHb/rhfZkm5IDTU= =e1nI -----END PGP SIGNATURE-----
This archive was generated by hypermail 2b30 : Wed Apr 14 2004 - 14:33:48 PDT