rust ALERT 06-001
Cybertrust ACTION ALERT - CT 06-001 - Microsoft Windows Vulnerability
in Server Service Could Allow Remote Code Execution MS06-035
Current Assessment: HOT
Initial Assessment: HOT
Current Assessment Date: July 12, 2006
Time: 04:50 UTC
Initial Assessment Date: July 11, 2006
Time: 18:02 UTC
Executive Summary:
A vulnerability in Mailslots, small
memory-based files normally associated with trivial domain-wide
broadcast messages, could allow an automatic network-based worm to be
started. The last such worm was Sasser. Details are not yet published,
but will likely be forthcoming soon. While perimeter security measures
should prevent corporate infections directly from the Internet, roving
laptops may bring external infections inside your network. Cybertrust
recommends deploying this patch within 7 days.
Threat:
Currently low, but could escalate rapidly in the next several days to weeks.
Vulnerability Prevalence:
Very High in average corporations; Microsoft Windows 2000, XP and Server 2003 are vulnerable.
Cost:
High - Bases on historical model from Sasser and MS Blaster, if a worm
exploiting this vulnerability were to be launched internally, reactive
patching will be very difficult and clean- up would be arduous.
Administrator's Summary:
This one has the potential for a network-based automatic worm, along the lines of Sasser.
Two vulnerabilities exist in the Server service. The first involves
Mailslots, temporary memory-based "files" that are typically used to
broadcast information throughout a domain. The second vulnerability
involves the Server Message Block protocol implementation, used to
perform file sharing amongst other things.
Analysis for the Cybertrust SMP customers:
The Mailslot vulnerability is of the most concern at this point, as it
has the potential for a network-based automatic worm, along the lines
of Sasser. Mailslots normally have a limit of 424 bytes, however given
this is a buffer overflow vulnerability, one must assume that limit is
not being enforced. As such, it could be possible for a worm to be
created which, when anonymously fired at a remote system listening on
port 445/TCP, could cause the victim to run the code contained in the
attack.Systems with PORT 445/TCP exposed to the internet, or internal
networks which do not ensure the integrity and security of roving
laptops, are at greatest risk. Details of this vulnerability have not
yet been published; however they are likely to be disclosed soon.
The SMB vulnerability could allow a remote attacker to view the
contents of SMB buffers. These buffers would contain, at times,
critically sensitive security information regarding the SMB connection
(e.g. a connection with a domain controller or file
server.) That information could possibly be used to enable a
man-in-the-middle attack, although details have not been provided. The
attacker would have to be authenticated by victim systems running
Windows 2000, XP SP1, or Windows Server 2003. It is interesting to note
that Windows XP SP2 systems do not require the attacker to
authenticate.
Recommendations for Cybertrust SMP customers:
Given the potential for harm from exploitation of the Mailslot
vulnerability, our recommendation is based on our concern of that
issue. This is not to suggest that the SMB vulnerability is not of
concern. It is, as it has the potential to strike at the core of our
trust in our authentication mechanism. Cybertrust recommends deploying
this patch within the next 7 days. We believe this is prudent because
we believe details may already have been disclosed privately, and are
likely to become public knowledge in the very near future. Once
disclosed, the vulnerability presents an attractive target to
botherders and their ilk, not to mention anyone wishing to relive the
"good old days" of massive global worms. Mitigations: + Neither
Mailslots nor SMB buffers should be accessible fromthe Internet if your
machine is reasonably configured. Blocking PORT 445/TCP prevents
exploitation of the Mailslot vulnerability, while blocking TCP and UDP
139 and 445 are required to prevent exploitation of the SMB
vulnerability. This should already be the case in your environment, as
ongoing attacks exist involving these ports.
Links:
Microsoft Security Bulletin MS06-035 - Vulnerability in Server Service Could Allow Remote Code Execution (917159) http://www.microsoft.com/technet/security/Bulletin/MS06-035.mspx
Threat: Low with potential for explosive escalation
Cybertrust SMP customer vulnerability: High
Impact: High
DISCLAIMER:
Copyright 2006 Cybertrust, Inc. All rights reserved. This Intelligence
Bulletin is the property of Cybertrust, Inc. It may not be
redistributed except within your own company or organization. This
Intelligence Bulletin is being provided for informational purposes only
and is provided "AS IS." Cybertrust, Inc. makes no warranties of any
kind, express or implied, including, but not limited to warranties of
merchantability, fitness for a particular purpose, non-infringement,
and warranties arising out of any course of dealing or course of
conduct.
Impenetrable security is unattainable in real world environments;
Cybertrust, Inc. cannot and does not guarantee protection against
breaches of security.
IN NO EVENT WILL CYBERTRUST, INC. BE LIABLE FOR ANY BUSINESS
INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY
KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE
THE INFORMATION CONTAINED IN THIS INTELLIGENCE BULLETIN, OR YOUR
FAILURE TO RECEIVE ANY PRIOR OR FUTURE INTELLIGENCE BULLETINS, EVEN IF
CYBERTRUST, INC. HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
|
