|
|
|
|
| |
Credit:
The information has been provided by Microsoft Security.
The original article can be found at:
http://www.microsoft.com/technet/security/bulletin/ms06-031.mspx
|
| |
Vulnerable Systems:
* Microsoft Windows 2000 Service Pack 4 - Download the update
Immune Systems:
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
* Microsoft Windows Server 2003 x64 Edition
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Me)
Mitigating Factors for RPC Mutual Authentication Vulnerability:
* An attacker would have no way to force users to connect to a malicious RPC server.
Workarounds for RPC Mutual Authentication Vulnerability:
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
* To help protect from network-based attempts to exploit this vulnerability, IPSec can be used to ensure the identity of a system.
Use Internet Protocol security (IPSec) to help protect network communications. Detailed information about IPSec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878
FAQ for RPC Mutual Authentication Vulnerability:
What is the scope of the vulnerability?
This is a spoofing vulnerability which affects custom RPC applications acting as RPC clients using SSL with mutual authentication option. An attacker who successfully exploited this vulnerability could impersonate a valid RPC server.
What causes the vulnerability?
The affected product does not correctly validate the identity of RPC server while utilizing mutual authentication over Secure Socket Layer (SSL).
What is Mutual Authentication?
Both the client and the server machines will exchange credentials to verify identities before data is exchanged.
What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could impersonate a valid service.
Who could exploit the vulnerability?
An attacker would first need to persuade a user to connect to a resource which requires mutual authentication using Secure Sockets Layer (SSL). The attacker could then impersonate a valid RPC server. An attacker would have no way to force users to visit the RPC server.
How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by persuading a user to connect to an RPC service which has been configured to impersonate a valid server.
What systems are primarily at risk from the vulnerability?
Workstations and servers are at risk from this vulnerability.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT professionals can visit the Security Guidance Center Web site.
What does the update do?
The update removes the vulnerability by modifying the way that RPC handles mutual authentication.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
CVE Information:
CVE-2006-2380
|
|
|
|
|
