|
Brought to you by:
Suppliers of:
|
|
|
| |
| An attacker who successfully exploited the most severe of these vulnerabilities could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. However, attempts to exploit these vulnerabilities would most likely result in a denial of service of the Dynamic Host Configuration Protocol (DHCP) Server service. |
| |
Credit:
The information has been provided by Microsoft Product Security.
The original article can be found at: http://www.microsoft.com/technet/security/bulletin/MS04-042.mspx
|
| |
Vulnerable Systems:
* Microsoft Windows NT Server 4.0 Service Pack 6a - Download the update
* Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6 - Download the update
Immune Systems:
* Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4
* Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
* Microsoft Windows XP 64-Bit Edition Service Pack 1
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 64-Bit Edition
* Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)
CVE Information:
CAN-2004-0899 - Logging Vulnerability
CAN-2004-0900 - DHCP Request Vulnerability
Logging Vulnerability - CAN-2004-0899
A denial of service vulnerability exists that could allow an attacker to send a specially crafted DHCP message to a DHCP server. An attacker could cause the DHCP Server service to stop responding.
Mitigating Factors for Logging Vulnerability
* The DHCP Server service is not installed by default.
* The DHCP Client service is not vulnerable to this issue.
* DHCP Logging is not enabled by default. Only DHCP servers that have enabled DHCP Logging would be vulnerable to this issue.
* Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Workarounds for Logging Vulnerability
* Disable DHCP Logging
You can help protect against attacks that attempt to exploit this vulnerability by disabling the DHCP Logging feature. To disable this feature, perform the following steps:
* Start the DHCP Manager.
* Click the DHCP server where you want to enable logging.
* Click Server, and then click Properties.
* Click to clear the Enable DHCP Logging check box.
* Restart the DHCP Server service or restart the affected system.
For more information, see Microsoft Knowledge Base Article 164524.
Impact of Workaround: DHCP Logging features are disabled. It is not possible to track activity logs until this feature is enabled.
* Block UDP port 67 and UDP port 68 at your firewall
These ports are used to initiate a connection with a DHCP server. Blocking these ports at the firewall will help prevent systems that are behind that firewall from being attacked by attempts to exploit this vulnerability. It is possible that other ports may be found that could be used to exploit this vulnerability. The ports that are listed are the most common attack vectors. We recommend that you block all inbound unsolicited communication from the Internet.
* Move DHCP Services to Windows 2000 Server or a later version
Later versions of the DHCP Server service, such as those that are provided as part of Windows 2000 Server or Windows Server 2003 are not vulnerable to this issue. Note Windows NT 4.0 Server is nearing the end of its support life cycle on December 30, 2004. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site.
FAQ for Logging Vulnerability
What is the scope of the vulnerability ?
Under the most likely attack scenario this is a denial of service vulnerability. An attacker who successfully exploited this vulnerability could cause the DHCP Server service to fail. Restarting the DHCP Server service will allow the service to function correctly. However, the DHCP Server service could remain vulnerable to another denial of service attack.
What causes the vulnerability ?
An unchecked buffer in the method that DHCP uses to validate a value from specially crafted network packets.
What is DHCP ?
Dynamic Host Configuration Protocol (DHCP) is an IP standard that is designed to reduce the complexity of administering address configurations. DHCP does this by using a server computer to centrally manage IP addresses and other related configuration details used on your network. Windows NT 4.0 Server provides the DHCP Server service, which enables the server computer to perform as a DHCP Server and to provide configuration settings to DHCP-enabled client computers on your network as described in the DHCP IETF RFC 2131.
What might an attacker use the vulnerability to do ?
An attacker who successfully exploited this vulnerability could most likely cause DHCP to stop responding to all requests.
Who could exploit the vulnerability ?
Any anonymous user who could deliver a specially crafted message to the affected system could attempt to exploit this vulnerability.
How could an attacker exploit the vulnerability ?
An attacker could exploit this vulnerability by creating a program that could communicate with a vulnerable server through DHCP to send a specific kind of specially crafted DHCP message. Receipt of such a message could cause the vulnerable service to fail in such a way that it could cause a denial of service for that service.
What systems are primarily at risk from the vulnerability ?
Only Windows NT 4.0 Server systems that have been configured as DHCP servers with DHCP logging enabled are vulnerable.
Could the vulnerability be exploited over the Internet ?
Yes. An attacker could attempt to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. IT Professionals can visit the Security Guidance Center Web site.
What does the update do ?
The update removes the vulnerability by modifying the way that the DHCP Server service validates the length of a message before it passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed ?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited ?
No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
DHCP Request Vulnerability - CAN-2004-0900
A remote code execution vulnerability exists that could allow an attacker to send a specially crafted DHCP message to a DHCP server. However, attempts to exploit this vulnerability would most likely result in a denial of service of the DHCP Server service.
Mitigating Factors for DHCP Request Vulnerability
* The DHCP Server service is not installed by default.
* The DHCP Client service is not vulnerable to this issue.
* Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Workarounds for DHCP Request Vulnerability
* Block UDP port 67 and UDP port 68 at your firewall
These ports are used to initiate a connection with a DHCP server. Blocking these ports at the firewall will help prevent systems that are behind that firewall from being attacked by attempts to exploit this vulnerability. It is possible that other ports may be found that could be used to exploit this vulnerability. The ports that are listed are the most common attack vectors. We recommend that you block all inbound unsolicited communication from the Internet.
* Move DHCP Services to Windows 2000 Server or a later version
Later versions of the DHCP Server service, such as those that are provided as part of Windows 2000 Server or Windows Server 2003 are not vulnerable to this issue. Note Windows NT 4.0 Server is nearing the end of its support life cycle on December 30, 2004. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site.
FAQ for DHCP Request Vulnerability
What is the scope of the vulnerability ?
This is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts that have full privileges. However, under the most likely attack scenario this is a denial of service vulnerability. An attacker who successfully exploited this vulnerability could cause the DHCP Server service to fail. Restarting the DHCP Server service will allow the service to function correctly. However, the DHCP Server service could remain vulnerable to another denial of service attack.
What causes the vulnerability ?
An unchecked buffer in the method that DHCP users validate a value from specially crafted network packets.
What is DHCP ?
Dynamic Host Configuration Protocol (DHCP) is an IP standard that is designed to reduce the complexity of administering address configurations. DHCP does this by using a server computer to centrally manage IP addresses and other related configuration details used on your network. Windows NT 4.0 Server provides the DHCP Server service, which enables the server computer to perform as a DHCP Server and to provide configuration settings to DHCP-enabled client computers on your network as described in the DHCP IETF RFC 2131.
What might an attacker use the vulnerability to do ?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Who could exploit the vulnerability ?
Any anonymous user who could deliver a specially crafted message to the affected system could attempt to exploit this vulnerability.
How could an attacker exploit the vulnerability ?
An attacker could exploit this vulnerability by creating a program that could communicate with a vulnerable server through DHCP to send a specific kind of specially crafted DHCP message. Receipt of such a message could cause the vulnerable service to fail in such a way that it could allow code execution or cause a denial of service for that service.
What systems are primarily at risk from the vulnerability ?
Only Windows NT 4.0 Server systems that have been configured as DHCP servers are vulnerable.
Could the vulnerability be exploited over the Internet ?
Yes. An attacker could attempt to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. IT Professionals can visit the Security Guidance Center Web site.
What does the update do ?
The update removes the vulnerability by modifying the way that the DHCP Server service validates the length of a message before it passes the message to the allocated buffer.
When this security bulletin was issued, had this vulnerability been publicly disclosed ?
No. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information indicating that this vulnerability had been publicly disclosed when this security bulletin was originally issued.
When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited ?
No. Microsoft had not received any information indicating that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.
|
|
|
|
|
