The original article can be found at:
* Microsoft Windows 2000 Service Pack 4 - Download the update
* Microsoft Windows XP Service Pack 2
* Microsoft Windows XP Professional x64 Edition
* Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
* Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
* Microsoft Windows Server 2003 x64 Edition
* Windows Vista
* The attacker must be able to TFTP to the Remote Installation Server to place a specially crafted file or program.
* The Remote Install Service is not installed by default on Windows 2000 Service Pack 4.
* For customers who require the affected component, firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
* Configure the TFTP service as read only.
You can configure the TFTP service as read only by setting a value in the registry.
Note: Using Registry Editor incorrectly can cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that problems resulting from the incorrect use of Registry Editor can be solved. Use Registry Editor at your own risk. For information about how to edit the registry, view the "Changing Keys And Values" Help topic in Registry Editor (Regedit.exe) or view the "Add and Delete Information in the Registry" and "Edit Registry Data" Help topics in regedit.exe.
Note We recommend backing up the registry before you edit it.
To prevent the RIS server from accepting unauthorized access, add the following to the registry using Regedit.exe.
1. Click Start, and click Run, type regedit (without the quotation marks), and the click OK.
2. In Registry Editor, create the following registry key:
4. Add the DWORD Value: Masters. Set the value to 0. This value disables writable TFTPD access.
5. You must restart the TFTP service for this change to take effect
6. TP service:
7. Click Start, click Run, type Run type cmd (without the quotation marks), and then click OK.
8. In the cmd Window type Net stop TFTPD (without the quotation marks) and press Enter.
* Block port 69 (UDP) at the firewall.
This port is used to initiate a connection with the affected component. Blocking UDP port 69 at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports, visit the following Web site.
* Stop the TFTP service if it is not needed
1. Click Start, click Run, type cmd (without the quotation marks), and then click OK.
2. In the cmd Window type "Net stop TFTPD" (without the quotation marks) and press Enter.
Impact of Workaround: If you disable the TFTP service, users will not be able to upload, view or write to the contents of TFTP directories.
* To help protect from network-based attempts to exploit this vulnerability, enable advanced TCP/IP filtering on systems that support this feature.
You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.
To help protect from network-based attempts to exploit this vulnerability, block the affected ports by using IPSec on the affected systems.
Use Internet Protocol security (IPSec) to help protect network communications. Detailed information about IPSec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.
What is the scope of the vulnerability?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.
What causes the vulnerability?
The vulnerability is caused by allowing anonymous access to the file structure of a hosted operating system build through the RIS TFTP service.
What is RIS?
Remote Installation Services (RIS) is a Pre-boot Execution Environment (PXE)-based deployment technology that allows Windows setup to initiate over a network.
Who could exploit the vulnerability?
Any anonymous user who could deliver a specially crafted executable or file to the affected RIS system could try to exploit this vulnerability at a later time on systems that are built using the tampered operating system build.
What systems are primarily at risk from the vulnerability?
All Windows 2000 Server Service Pack 4 systems that have RIS installed are primarily at risk from this vulnerability.
Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the Internet, but they must first have network permissions to gain access to the RIS service. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet.
What does the update do?
The update removes the vulnerability by not allowing anonymous TFTP users the ability to write to the RIS hosted operating system build s file structure. The update adds the registry key identified in the Workarounds section of the bulletin.
When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.