TSA03-007

TSA 03-007 - Windows NT 4.0 NTDLL.DLL

Current Assessment: HOT

Initial Assessment: HOT

Current Assessment Date: April 23, 2003

Time: 19:00 UTC

Executive Summary:

TruSecure Corporation discovered today that Windows NT 4.0 contains a vulnerable version of NTDLL.DLL. The vulnerabilities are identical to those described in our earlier alert (TSA-03-006) however; the vulnerability is now expanded to include all Windows NT 4.0 systems.

TruSecure recommends applying the Microsoft patch to critical devices first.  For instance,  an appropriate strategy would be to focus first on Internet exposed Windows NT, Windows NT Terminal Server and Windows 2000 devices including IIS, FTP, Exchange, Citrix, Kiosk, and then on other critical Windows NT and Windows 2000 devices, then on Desktops running Windows NT and Windows 2000.

 *************************************

RISK INDICES:

Threat:

High - Exploit code is under development and TruSecure anticipates a likely acceleration of attacks.  It is also likely that once an exploit is developed the creation of a worm will follow.

Vulnerability Prevalence:

High - NTDLL is universal on Windows NT and Win2K systems, and is a core part of the Operating Systems.  This alert expands the vulnerability to both Windows NT 4.0 and Win2K systems.

Cost:

High - the potential exploit would allow remote execution under the permissions of the LOCAL_SYSTEM, and may allow both code execution and privilege escalation.


Vulnerable Systems:

TruSecure has learned today that Windows NT 4.0 systems are similarly vulnerable to an exploit of the NTDLL.DLL, and TruSecure has determined that all versions of Windows 2000 systems are vulnerable. 

Caveats:

Windows NT 4.0 - Only systems running Service Pack 6a can be remedied by the Microsoft patch (updated MS03-007).

Windows 2000 - Only systems running Service Pack 2, or Service Pack 3, can be remedied by a patch.

Windows 2000 SP2 - Do not attempt to install this patch on Windows 2000 SP2 systems which have a version of NTOSKRNL.EXE between 5.0.2195.4797 and 5.0.2195.4928 (inclusive).

Summary:

TruSecure Corporation discovered today that Windows NT 4.0 uses a vulnerable version of NTDLL.DLL. The vulnerabilities are identical to those described in TSA-03-006, with the exception that Windows NT 4.0 Internet Information Services 4.0 does not install WebDAV, so is not vulnerable to the attack vectors outlined in TSA-03-005 or TSA-03-005a.

 *********************************************************

Please Note:

MS03-007 was superceded by MS03-013, so systems which have applied MS03-013 need not re-apply MS03-007.

Previous recommendations (contained in TruSecure ALERT - TS 03-005 and TS 03-005a) still apply as reasonable preventative actions against the initial IIS attack vector.  Attacks using the WebDAV vector have occurred.  

TruSecure Corporation therefore recommends that you apply the patch supplied in MS03-007/815021 as soon as practical.


Although MS03-007/815021 was superceded by MS03-013/811493, reports are currently under investigation regarding system instability related to application of this patch. Reports suggest that applying MS03-013/811493 may result in the system responding extremely slowly. Until these reports have been clarified, TruSecure Corporation is not recommending that you apply MS03-013/811493.

 *********************************************************

It should be restated that there are numerous attack vectors against NTDLL.DLL.

This fact expands the Vulnerability Prevalence and increases the Threat Likelihood. The fact that it may be possible to craft an exploit which may work successfully against both Windows NT and Windows 2000 could increase the likelihood that such an attack occurs.

Attacks may be network-based intrusion attempts, such as IIS or possibly FTP, NNTP, IMAP, etc... or within Email messages or Web Pages. Trojans may be built which include this attack method. They may come as attachments, or be found on public FTP servers. Further, publication of the details of the vulnerable applications may lead to internal attacks based on code being run by a malicious, although trusted, user.

Detailed Description:

TruSecure strongly recommends that clients fully test the newly released patch prior to installing it in any production environment.

TruSecure also believes that other synergistic controls like Outlook restrictions pointing to the Restricted Sites zone, file filters at the mail gateway, router default deny, and other recommendations that are part of the TruSecure Security Assurance Service Essential Practices will likely, help mitigate potential attacks against this pervasive vulnerability.

NTDLL.dll is a core operating system DLL and its functions are used by numerous applications. The initial exposure via the WEBDAV facilities in IIS 5.0 reflects only one vector to the exploitable condition in the pre-patch NTDLL.dll. ANY application which processes data from untrusted sources has the potential to exploit the flaw on any Windows NT 4.0 or Windows 2000 device. This may include content received in email, content referenced in web-pages, FTP servers, desktop application flaws, p2p/chat clients and others.

We expect that a worm or blended attack similar to Nimda will eventually be created possibly using this vulnerability as a primary vector.

TruSecure recommends addressing critical devices first.  For instance,  an appropriate strategy would be to focus first on Internet exposed Windows NT, Windows NT Terminal Server and Windows 2000 devices including IIS, FTP, Exchange, Citrix, Kiosk, and then on other critical Windows NT and Windows 2000 devices, then on Desktops running Windows NT and Windows 2000.

It is possible that NTDLL.dll will be the source vulnerability of future attacks, much like the script and unicode vulnerabilities in the past. 

MITIGATIONS:

1) Apply patch to affected Windows NT and Windows 2000 systems

2) Assure that other TruSecure synergistic controls are in place and functional

a. Perimeter Default Deny (including router and WAN / VPN gateways)

b. Essential Configurations for Windows Servers

c. Essential Configurations for Windows Desktops particularly focusing on restrictions to Script and Java Script activity (restricted site zones especially for mail) 

d. Perimeter mail attachment filtering

Patch location:

http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

Currently only Windows NT and Windows 2000 (Advanced Server, Server and Professional) systems, are affected if they have not already installed MS03-007/815021. Again, it is important not to attempt to install this patch on Windows 2000 SP2 systems which have a version of NTOSKRNL.EXE between 5.0.2195.4797 and 5.0.2195.4928 (inclusive), and, to note that Windows 2000 systems must have at least SP2 applied in order to be patched.

[Further, systems running Windows 2000 SP2 who apply MS03-007/815021 need to remember that applying Windows 2000 SP3 may revert a system to being vulnerable. Confirmation of the migration from SP2 to SP3 reintroducing the vulnerable DLL is currently being tested by ICSA Labs, and the results will be available from your TruSecure Security Analyst. TruSecure Corporation therefore recommends that all customers upgrade to Windows 2000 SP3 or assure that this patch is re-applied after any SP3 upgrades]

TruSecure will continue to update its clients as new intelligence becomes available. 

In the TruSecure methodology of mitigating significant risks with easy to implement synergistic controls, TruSecure may initiate non-invasive independent testing on a sample of our clients related to these vulnerabilities. These assessments will attempt to verify the current state of anticipated attack vectors and assess the potential for successful exploit of this and other common attacks. These are non-intrusive non-penetrating assessments. If this testing occurs, it will originate from the ICSA Labs and TruSecure network addresses from the netblock 12.36.173.0/24.

Communication:

Please contact your TruSecure analyst if you have any questions or if you see actual attempts to exploit this vulnerability. 

TruSecure Corporation provides information security assurance services including TruSecure (r)which significantly reduces the likelihood of participating companies having information security breaches in six areas of risk: Electronic (hacking and related) risk, Malicious Code risk (virus, Trojan worm and related), Privacy risk, Downtime risk, Physical risk and Human Factors risk. Visit Security Solutions for further information on these services. 

Disclaimer:

Copyright (c) 2003 TruSecure Corporation. All rights reserved. This Alert is the property of the TruSecure Corporation. It may not be redistributed except within your own company or organization. This Alert is being provided for informational purposes only and is provided AS IS." The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct. 

Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security. 

IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.