Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-04-12 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Security Updates from Microsoft; Multiple Vendors - ICMP Affecting TCP Sessions

Published: 2005-04-12
Last Updated: 2005-04-13 00:39:55 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)

Security Updates from Microsoft



As Microsoft pre-announced in the recent notice, the company released several security updates today, affecting Microsoft Windows, Office, Exchange, and MSN Messenger software. Microsoft classified five of these updates as "Critical" and three as "Important." Please note that a proof-of-concept exploit for at least one of these vulnerabilities (MS05-020) is already publicly available.



You can find general information about today's patches at the following URL:

http://www.microsoft.com/technet/security/bulletin/ms05-apr.mspx



Our team compiled the following technical summary of today's patch cluster. This was written by several people working in parallel, so please excuse the differences in style across the segments.

Bulletin   Severity   Impact                  Supercedes
MS05-016 Important Remote Code Execution MS05-008
MS05-017 Important Remote Code Execution N/A
MS05-018 Important Elevation of Privilege See Below***
MS05-019 Critical Remote Code Execution N/A
MS05-020 Critical Remote Code Execution MS05-014 (Exploit available)
MS05-021 Critical Remote Code Execution MS04-035 (Exchange W2K only)
MS05-022 Critical Remote Code Execution MS05-009
MS05-023 Critical Remote Code Execution MS03-050

***MS05-018 Supercedes the following:
Bulletin ID Windows 2000 XP SP1 XP SP 2 Windows Server 2003
MS03-013 Not Replaced Replaced N/A N/A
MS03-045 Replaced Not Replaced N/A Not Replaced
MS04-032 Not Replaced Not Replaced N/A Replaced
MS05-002 Replaced Replaced N/A Not Replaced

In addition to releasing new patches, Microsoft updated three of its previously-published security bulletins today, and a released a new version of its . These updates are described below as well.



We are using CVE numbers when referring to vulnerabilities in this document. Because the vulnerabilities are relatively recent, most of the CVE links lead to documents that don't currently provide any details. We've included these links for future cross-referencing purposes.

"Critical" Vulnerabilities



- Vulnerabilities in TCP/IP Could Allow Remote Code Execution and Denial of Service. This patch addresses several vulnerabilities in the implementation of the TCP/IP stack on Windows:



* IP Validation Vulnerability (
) - "Incomplete validation of IP Network Packets" is how Microsoft describes this vulnerability. The end result could be remote execution of code.

* ICMP Connection Reset Vulnerability (
) - A specially crafted ICMP packet could allow the attacker to reset existing TCP connections. This vulnerability does not allow for escalation of privileges.

* ICMP Path MTU Vulnerability (
) - A vulnerability exists in the Path Maximum Transmission Unit (PMTU) discovery process. The specially crafted packet could all an attacker to modify the MTU for all connections on a system. Setting the MTU to a very small number for have devastating effects creating a DoS for that system. No escalation of privileges or rights is gained by this exploit.

* TCP Connection Reset Vulnerability (
) - A specially crafted TCP packet could allow the attacker to reset existing TCP
connections. This vulnerability does not allow for escalation of privileges.

* Spoofed Connection Request Vulnerability (
) - This vulnerability describes the LAND attack where a specially crafted SYN Packet with the source IP and port being the same as the destination IP and port causes the system the think the packet came from itself and eat up the CPU time resulting in a DoS.



For more information about this vulnerability and the associated patch, see
.



Vulnerable: Windows 2000 Service Pack 3 and 4; Windows XP Service Pack 1 and 2; Windows XP 64-Bit Edition Service Pack 1 (Itanium); Windows XP 64-Bit Edition Version 2003 (Itanium); Windows Server 2003; Windows Server 2003 for Itanium-based systems; and Windows 98, 98SE, and ME.



Special Note: In addition to the vulnerabilities listed below and their fixes, this patch also makes changes to the following: The default TCPWindowSize registry value has been changed on some operating systems (see
). A new MaxIcmpHostRoutes registry value has also been introduced to control ICMP Path MTU related behavior (see ).



- Cumulative Security Update for Internet Explorer. This aggregate patch addresses several vulnerabilities in Internet Explorer that could lead to remote code execution:



* DHTML Object Memory Corruption Vulnerability (
)

* URL Parsing Memory Corruption Vulnerability (
)

* Content Advisor Memory Corruption Vulnerability (
)



Special note: A proof-of-concept exploit for this vulnerability is already publicly available from FrSIRT. The availability of the exploit is likely to increase the severity of this patch for most organizations.



Vulnerable: Internet Explorer 5.01 Service Pack 3 on Windows 2000 Service Pack 3; Internet Explorer 5.01 Service Pack 4 on Windows 2000 Service Pack 4; Internet Explorer 5.5 Service Pack 2 on Windows ME; Internet Explorer 6 Service Pack 1 on Windows 2000 Service Pack 3 and 4; Internet Explorer 6 Service Pack 1 on Windows XP Service Pack 1; Internet Explorer 6 Service Pack 1 on Windows 98, 98SE, and ME; Internet Explorer 6 Service Pack 1 on Windows XP 64-Bit Edition Service Pack 1 (Itanium); Internet Explorer 6 on Windows Server 2003; and Internet Explorer 6 on Microsoft Windows Server 2003 for Itanium-based systems and Windows XP 64-Bit Edition Version 2003 (Itanium).



For more information about this vulnerability and the associated patch, see
.



- Vulnerability in Exchange Server Could Allow Remote Code Execution. This patch addresses the following buffer overflow in the SMTP service:



* Exchange Server Vulnerability (
) - The
service fails to handle SMTP extended verb requests. On Exchange 2000, if an attacker connects to an SMTP port (unauthenticated users will work) and issues a specially crafted extended verb request, this would allow an attacker to run the code of their choice as the SMTP service runs as Local System. On Exchange 2003, it's a little more difficult and requires the attacker to connect to the Exchange server with the authority of another Exchange server of that organization and then they can issue the same specially crafted extended verb request. Exchange 2003 requires the user authenticating to authenticate as an account in Exchange Enterprise Servers or Exchange Domain Servers groups.



Vulnerable: Microsoft Exchange 2000 Server Service Pack 3; Microsoft Exchange Server 2003; and Microsoft Exchange Server 2003 Service Pack 1.



For more information about this vulnerability and the associated patch, see
.



- Vulnerability in MSN Messenger Could Lead to Remote Code Execution. This patch addresses a buffer overflow condition in the parsing of GIF images by MSN Messenger, which may result in remote exploitation:



* MSN Messenger Vulnerability (
)



Vulnerable: MSN Messenger 6.2 and 7.0 beta. MSN Messenger 4.7 and 5.0 are not listed, but may be presumed vulnerable. Not Vulnerable: MSN Messenger 7.0. Unknown: Windows Messenger. Mitigations: Don't accept IMs from people you don't know.



Special Note: This bulletin is listed as an update to the previously-published
advisory, and appears to be related to the same sort of problems in libpng that were discussed in MS05-009; however, this is a problem with the parsing of GIF images instead of TIFF and PNG. Although this bulletin is listed as an update to MS05-009, it does not supercede MS05-009.



For more information about this vulnerability and the associated patch, see
.



- Vulnerabilities in Microsoft Word May Lead to Remote Code Execution. This patch addresses several vulnerabilities that could result in remote code execution and privilege elevation:



* Buffer Overrun in Microsoft Word (
) - An attacker can cause a DoS condition and, potentially, could execute arbitrary code by crafting contents of a .doc file.

* Buffer Overrun in Microsoft Word (
)<br


Vulnerable: Microsoft Word 2000 and 2002; Microsoft Office Word 2003; Microsoft Works Suite 2001, 2002, 2003, and 2004.



For more information about this vulnerability and the associated patch, see
.

"Important" Vulnerabilities



- Vulnerability in Windows Shell that Could Allow Remote Code Execution. This patch addresses a vulnerability that seems to be tied to the way Windows Shell processes .hta files:



* Windows Shell Vulnerability (
).



Vulnerable: Windows 2000 Service Pack 3 and 4; Windows XP Service Pack 1 and 2; Windows XP 64-Bit Edition Service Pack 1 (Itanium); Windows XP 64-Bit Edition Version 2003 (Itanium); Windows Server 2003; Windows Server 2003 for Itanium-based systems; and Windows 98, 98SE, and ME.



For more information about this vulnerability and the associated patch, see
.



- Vulnerability in Message Queuing Could Allow Code Execution. This patch addresses the following vulnerability:



* Message Queuing Vulnerability (
.



Vulnerable: Windows 2000 Service Pack 3 and 4; Windows XP Service Pack 1; Windows XP 64-Bit Edition Service Pack 1 (Itanium); and Windows 98 and 98SE.



For more information about this vulnerability and the associated patch, see
.



- Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege and Denial of Service. This patch addresses several vulnerabilities:



* Font Vulnerability (
) - "A privilege elevation vulnerability exists in the way that Windows process certain fonts."

* Windows Kernel Vulnerability (
) - Could lead to privilege elevation.

* Object Management Vulnerability (
) - "A denial of service vulnerability exists that could allow an attacker to send a specially crafted request locally to" affected operating systems.

* CSRSS Vulnerability (
) - Could lead to privilege elevation.



Vulnerable: Windows 2000 Service Pack 3 and 4; Windows XP Service Pack 1 and 2; Windows XP 64-Bit Edition Service Pack 1 (Itanium); Windows XP 64-Bit Edition Version 2003 (Itanium); Windows Server 2003; Windows Server 2003 for Itanium-based Systems; and Windows 98, 98SE, and ME.


For more information about this vulnerability and the associated patch, see
.

Updated Microsoft Security Bulletins and Software



In addition to addressing the vulnerabilities described above, Microsoft updated three previously-published security bulletins:
, and
. Additionally, Microsoft released an updated version of its today; the program now recognizes Hacker Defender, Mimail, and Rbot malware specimen families.



The update to the
advisory (Vulnerability in Cursor and Icon Format Handling Could Allow Remote Code Execution) is relevant to
those who are applying the patch to Windows 98, 98SE, and ME; users of these platforms may need to re-apply the patch.



The update to the
advisory (Vulnerability in PNG Processing Could Allow Remote Code Execution) reflects the availability of an updated version of Microsoft Windows Messenger version 4.7.0.2009 for Windows XP Service Pack 1.



The update to the
advisory (Vulnerability in the License Logging Service Could Allow Code Execution) revises the "Mitigating Factors" section of the write-up to reflect new findings regarding Windows 2000 Server Service Pack 4 and points out the existence of the , which is relevant to users running Windows 2000 Server Service Pack 4.

Multiple Vendors Affected: ICMP Packets Causing DoS to TCP Sessions



Advisories published today by NISCC and other organizations document vulnerabilities in several vendors' implementations of the networking stack that may result in denial of service (DoS) attacks against the affected systems or devices. The vulnerabilities allow attackers to use crafted ICMP packets to perform a number of DoS attacks against TCP-based sessions. According to the Cisco advisory, "[s]uccessful attacks may cause connection resets or reduction of throughput in existing connections."



Microsoft's security bulletin
and the associated patch addresses this problem. (It also corrects other, seemingly unrelated vulnerabilities.)



The Cisco advisory on the topic, which outlines what Cisco products are vulnerable and clarifies how to address the problem, is available at:

http://www.cisco.com/warp/public/707/cisco-sa-20050412-icmp.shtml



The Juniper advisory that addresses these problems is available at the following URL (registration required):

https://www.juniper.net/alerts/viewalert.jsp?txtAlertNumber=PSN-2004-09-009



The NISCC advisory, which thoroughly documents this issue, is available at:

http://www.niscc.gov.uk/niscc/docs/al-20050412-00308.html



The vulnerability is explained in the IETF draft, authored by Fernando Gont and titled "ICMP attacks against TCP" at:

http://www.ietf.org/internet-drafts/draft-gont-tcpm-icmp-attacks-03.txt



Many thanks to all the handlers who contributed to the creation of today's write-up!



Lenny Zeltser

ISC Handler of the Day

http://www.zeltser.com
Keywords:
0 comment(s)
Diary Archives