__________________________________________________________

                       The U.S. Department of Energy
                    Computer Incident Advisory Capability
                           ___  __ __    _     ___
                          /       |     /_\   /
                          \___  __|__  /   \  \___
             __________________________________________________________

                             INFORMATION BULLETIN

                       Microsoft Netmon Protocol Parsing

November 8, 2000 21:00 GMT                                        Number L-016
______________________________________________________________________________
PROBLEM:       Microsoft Network Monitor (Netmon) has a buffer overflow that 
               could result in unauthorized control of a server. 
PLATFORM:      Microsoft Windows NT 4.0 Server
               Microsoft Windows 2000 Server
               Microsoft Systems Management Server 1.2 and 2.0 
DAMAGE:        Either causing Netmon to fail or causing code of the malicious 
               user's choice to run on the machine. 
SOLUTION:      Install Microsoft provided patch. 
______________________________________________________________________________
VULNERABILITY  The risk is HIGH. Vulnerability allows remote administrative 
ASSESSMENT:    access without prior privileges. 
______________________________________________________________________________

[******  Start Microsoft Bulletin ******]

Microsoft Security Bulletin (MS00-083)
- --------------------------------------

Patch Available for "Netmon Protocol Parsing" Vulnerability

Originally posted: November 01, 2000

Summary
=======
Microsoft has released a patch that eliminates a security
vulnerability in Microsoft(r) Windows NT(r) and Windows(r) 2000
server products and Systems Management Server. The vulnerability
could allow a malicious user to gain control of an affected server.

Frequently asked questions regarding this vulnerability and
the patch can be found at
http://www.microsoft.com/technet/security/bulletin/fq00-083.asp

Issue
=====
Microsoft ships two versions of Network Monitor (Netmon): a basic
version that ships with Windows NT 4.0 and Windows 2000 server
products, and full version that ships as part of Systems Management
Server (SMS) 1.2 and 2.0. Both versions include protocol parsers that
aid administrators in interpreting and analyzing previously-captured
network data. However, several of the parsers have unchecked buffers.
If a malicious user delivered a specially-malformed frame to a server
that was monitoring network traffic, and the administrator parsed it
using an affected parser, it would have the effect of either causing
Netmon to fail or causing code of the malicious user's choice to run
on the machine.

Netmon requires administrative privileges to run, but should only be
run by local, rather than domain, administrators. If this is done,
the vulnerability could be used to gain complete control over the
local machine, but could not be used to gain control over a domain.
Netmon does not ship on workstation products, so unless SMS had been
installed on a workstation, it would not be affected by this
vulnerability.

Affected Software Versions
==========================
 - Microsoft Windows NT 4.0 Server
 - Microsoft Windows NT 4.0 Server, Terminal Server Edition
 - Microsoft Windows NT 4.0 Server, Enterprise Edition
 - Microsoft Windows 2000 Server
 - Microsoft Windows 2000 Advanced Server
 - Microsoft Windows 2000 Datacenter Server
 - Microsoft Systems Management Server 1.2
 - Microsoft Systems Management Server 2.0

Note: Netmon does not ship as part of Windows NT 4.0 Workstation or
Windows 2000 Professional. These products would only be affected if
SMS had been installed on them.

Patch Availability
==================
 - Microsoft Windows NT 4.0 Server and Windows NT 4.0 Server,
   Enterprise Edition:
   http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25487
 - Microsoft Windows NT 4.0 Server, Terminal Server Edition:
   To be released shortly.
 - Microsoft Windows 2000 Server, Advanced Server and
   Datacenter Server:
   http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25485
 - Microsoft Systems Management Server 1.2:
   http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25505
 - Microsoft Systems Management Server 2.0:
   http://www.microsoft.com/Downloads/Release.asp?ReleaseID=25514

Note: Customers who are running SMS should apply the SMS patch,
regardless of the platform they are running on. Customers who are not
running SMS but are using an affected server should apply the
operating system patch.

Note:
 - The patch for Windows NT 4.0 Server and Windows NT 4.0 Server,
   Enterprise Edition, should be applied atop Service Pack 6a.
   It will be included in Service Pack 7.
 - The patch for Windows NT 4.0 Server, Terminal Server Edition,
   should be applied atop Service Pack 6. It will be included in
   Service Pack 7.
 - The patch for Windows 2000 can be applied to computers running
   Windows 2000 "Gold" or Service Pack 1. It will be included in
   Windows Service Pack 2.
 - The patch for SMS 1.2 should be applied atop SMS 1.2 Service
   Pack 4.
 - The patch for SMS 2.0 can be applied to SMS 2.0 Gold, Service
   Pack 1, or Service Pack 2. It will be included in Service Pack 3.

Note: Additional security patches are available at the Microsoft
Download Center

More Information
================
Please see the following references for more information related to
this issue.
 - Frequently Asked Questions: Microsoft Security Bulletin MS00-083,
   http://www.microsoft.com/technet/security/bulletin/fq00-083.asp
 - Microsoft Knowledge Base article Q274835 discusses this issue
   and will be available soon.
 - Microsoft TechNet Security web site,
   http://www.microsoft.com/technet/security/default.asp

Obtaining Support on this Issue
===============================
This is a fully supported patch. Information on contacting Microsoft
Product Support Services is available at
http://support.microsoft.com/support/contact/default.asp.

Acknowledgments
===============
Microsoft thanks COVERT Labs at PGP Security, Inc.
(http://www.pgp.com/), and the ISS X-force (http://xforce.iss.net/)
for reporting this issue to us and working with us to protect
customers.

Revisions
=========
 - November 01, 2000: Bulletin Created.

[******  End Microsoft Bulletin ******]

CIAC, the Computer Incident Advisory Capability, is the computer
security incident response team for the U.S. Department of Energy
(DOE) and the emergency backup response team for the National
Institutes of Health (NIH). CIAC is located at the Lawrence Livermore
National Laboratory in Livermore, California. CIAC is also a founding
member of FIRST, the Forum of Incident Response and Security Teams, a
global organization established to foster cooperation and coordination
among computer security teams worldwide.

CIAC services are available to DOE, DOE contractors, and the NIH. CIAC
can be contacted at:
    Voice:    +1 925-422-8193
    FAX:      +1 925-423-8002
    STU-III:  +1 925-423-2604
    E-mail:   ciac@llnl.gov

For emergencies and off-hour assistance, DOE, DOE contractor sites,
and the NIH may contact CIAC 24-hours a day. During off hours (5PM -
8AM PST), use one of the following methods to contact CIAC:

    1.  Call the CIAC voice number 925-422-8193 and leave a message, or

    2.  Call 888-449-8369 to send a Sky Page to the CIAC duty person or

    3.  Send e-mail to 4498369@skytel.com, or

    4.  Call 800-201-9288 for the CIAC Project Leader.

Previous CIAC notices, anti-virus software, and other information are
available from the CIAC Computer Security Archive.

   World Wide Web:      http://www.ciac.org/
                        (or http://ciac.llnl.gov -- they're the same machine)
   Anonymous FTP:       ftp.ciac.org
                        (or ciac.llnl.gov -- they're the same machine)
   Modem access:        +1 (925) 423-4753 (28.8K baud)
                        +1 (925) 423-3331 (28.8K baud)

PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing
communities receive CIAC bulletins.  If you are not part of these
communities, please contact your agency's response team to report
incidents. Your agency's team will coordinate with CIAC. The Forum of
Incident Response and Security Teams (FIRST) is a world-wide
organization. A list of FIRST member organizations and their
constituencies can be obtained via WWW at http://www.first.org/.

This document was prepared as an account of work sponsored by an
agency of the United States Government. Neither the United States
Government nor the University of California nor any of their
employees, makes any warranty, express or implied, or assumes any
legal liability or responsibility for the accuracy, completeness, or
usefulness of any information, apparatus, product, or process
disclosed, or represents that its use would not infringe privately
owned rights. Reference herein to any specific commercial products,
process, or service by trade name, trademark, manufacturer, or
otherwise, does not necessarily constitute or imply its endorsement,
recommendation or favoring by the United States Government or the
University of California. The views and opinions of authors expressed
herein do not necessarily state or reflect those of the United States
Government or the University of California, and shall not be used for
advertising or product endorsement purposes.

LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC)

L-006: HP-UX lpspooler and ftpd Vulnerabilities
L-007: Microsoft IIS Folder Traversal
L-008: Microsoft HyperTerminal Buffer Overflow
L-009: Red Hat Linux "ypbind" Vulnerabil
L-010: Microsoft IIS "Cookie Marking" Vu
L-011: HP-UX bdf & df Vulnerabilities
L-012: Cisco IOS HTTP Server Query Vulnerability
L-013: Revocation of Sun Microsystems Browser Certificates
L-014: AIX Format String Vulnerability
L-015: Tcpdump Remote Buffer Overflows