__________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Capability ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Possible Vulnerability in Windows Service ACLs [Microsoft Security Advisory 914457] February 8, 2006 18:00 GMT Number Q-116 [REVISED 15 Feb 2006] [REVISED 28 Feb 2006] ______________________________________________________________________________ PROBLEM: Microsoft is aware of published information and proof-of-concept code that attempts to exploit overly permissive access controls on third-party (i.e., non-Microsoft) application services. This code also attempts to exploit default services of Windows XP Service Pack 1 and Windows Server 2003. PLATFORM: Windows XP SP1 Windows 2003 Server DAMAGE: If these attempts were successful, a user who has low user privileges could gain privilege escalation. SOLUTION: Follow appropriate vendor recommendations for mitigating this vulnerability. ______________________________________________________________________________ VULNERABILITY The risk is LOW. A user may gain escalated privileges. ASSESSMENT: ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/q-116.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/security/advisory/914457.mspx CVE: http://www.cve.mitre.org/cgi-bin/cvename.cgi?name= CVE-2006-0023 ______________________________________________________________________________ REVISION HISTORY: 02/15/2006 - revised to reflect the changes Microsoft has made in Microsoft Security Advisory 914457 where they identified additional services, Windows XP Service Pack 2 and Windows 2000 clarification. 02/28/2006 - revised to reflect the changes Microsoft has made in Microsoft Security Advisory 914457 where theyadded Microsoft Knowledge Base Article 914392. [***** Start Microsoft Security Advisory 914457 *****] Microsoft Security Advisory (914457) Vulnerability in Windows Service ACLs Published: February 7, 2006 | Updated: February 22, 2006 Microsoft is aware of published information and proof-of-concept code that attempts to exploit overly permissive access controls on both default Windows XP Service Pack 1 and third-party (i.e., non-Microsoft) application services. This code also attempts to exploit default services of Windows Server 2003. If these attempts were successful, a user who has low user privileges could gain local or remote authenticated escalation. Microsoft has investigated these reports and the findings are summarized in the chart below. The posted report claims potential threats to Windows XP Service Pack 2. Microsoft has confirmed that customers who run Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 are not vulnerable to Operating System issues because security- related changes were made to these service packs as part of our ongoing security improvement process. Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 may become vulnerable if third party application code is installed which adds services with overly permissive access controls. While users who run Windows XP Service Pack 1 and Windows Server 2003 Gold may be at risk, the risk to Windows Server 2003 Gold users is extensively reduced. Only members of the network operators group on the targeted machine can remotely attack Windows Server 2003 Gold, and this group contains no users by default. Questions have also been raised about services running under Windows 2000. No known User group escalations have been identified on Windows 2000. Scenarios have been identified involving Power User group members, but such users should be considered trusted users with extensive privileges and with an ability to change computer wide settings. For additional information on Power User rights please visit Microsoft Knowledge Base Article 825069. Windows 2000 may become vulnerable if third party application code is installed which adds services with overly permissive access controls. Software developers are encouraged to visit Microsoft Knowledge Base Article 914392 for additional information and best practices on how to apply secure access controls to services. Users are encouraged to contact their third-party software vendors whose products require services installation to determine if any non-default Windows services are affected. Microsoft is not aware of any attacks attempting to use the reported vulnerabilities or of customer impact at this time. Microsoft will continue to investigate the public reports to help provide additional guidance for customers as necessary. Mitigating Factors: • The latest Microsoft operating systems, including Windows XP Service Pack2 and Windows Server 2003 Service Pack 1 are not vulnerable to these issues. • A malicious user who launches an attack based on the finder’s report would require at least authenticated user access to the affected operating systems. By default, Authenticated Users will include Domain Users for domain-joined clients • Four of the six services identified (NetBT, SCardSvr, DHCP, DnsCache) require an attacker to already be running in a privileged security context. Additionally, the two services that do allow an Authenticated user to attack are vulnerable only on Windows XP Service Pack 1. • Firewall best practices and standard default firewall configurations can help protect from attacks that originate outside the enterprise perimeter. Best practices also recommend that personal firewalls be used within a network and that systems connected to the Internet have a minimal number of ports exposed. General Information Overview Purpose of Advisory: Notification of the availability of the prescriptive guidance to help protect against this potential threat. Advisory Status: Advisory published Recommendation: Review the suggested actions and configure services ACLs as appropriate. Install Windows XP Service Pack 2, Windows Server 2003 Service Pack 1 to help protect against this vulnerability. References Identification CERT Reference VU#953860 CVE Reference CVE-2006-0023 Service Packs Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1 This advisory addresses the following Windows operating systems and default Windows services. Operating System UPnP NetBT SCardSvr SSDP DnsCache DHCP Microsoft Windows XP Service Pack 1 Yes No No Yes Yes Yes Microsoft Windows XP Service Pack 2 No No No No No No Windows Server 2003 gold * Yes No * Yes Yes Microsoft Windows Server 2003 Service Pack 1 * No No * No No Note In this table,”*” indicates that the affected service does not exist on the identified operating system. Note In this table, “Yes” indicates that the affected service does exist on the identified operating system and is vulnerable to an authenticated attack. On Windows Server 2003, an attacker must be a member of the Network Operators group on the targeted machine Note In this table, “No” indicates that the affected service does exist on the identified operating system and it is not vulnerable to attack. Note The identified services in non-x86 operating systems map identified services in x86 operating systems as follows: • The identified services in Microsoft Windows XP Professional x64 Edition are the same as the identified services in Windows XP Service Pack 2. • The identified services in Microsoft Windows Server 2003 for Itanium are the same as the identified services in Windows Server 2003. • The identified services in Microsoft Windows Server 2003 with SP1 for Itanium are the same as the identified services in Windows Server 2003 Service Pack 1. • The identified services in Microsoft Windows Server 2003 x64 Edition are the same as the identified services in Windows Server 2003 Service Pack 1. Suggested Actions Users and administrators who want to protect themselves from this issue may find the following helpful The most recent platforms are not vulnerable to this issue. Users are encouraged to update to the latest versions of Windows XP Service Pack 2 and Windows Server 2003 Service Pack 1. Workarounds Protect Your PC • We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates and installing anti-virus software. Customers can learn more about these steps by visiting Protect Your PC Web site. • For more information about staying safe on the Internet, customers can visit the Microsoft Security Home Page. • Keep Windows Updated All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them. Resources: • You can provide feedback by completing the form by visiting the following Web site. • Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Service. For more information about available support options, see the Microsoft Help and Support Web site. • International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site. • The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. Disclaimer: The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: • February 7, 2006: Advisory published • February 7, 2006: Added line breaks to Group Policy workaround security template for Windows XP Service Pack 1 • February 8, 2006: Added additional FAQ information for affected platforms and service start-up type properties • February 14, 2006: Additional services identified, Windows XP Service Pack 2 and Windows 2000 clarification • February 22, 2006: Added Microsoft Knowledge Base Article 914392 [***** End Microsoft Security Advisory 914457 *****] _______________________________________________________________________________ CIAC wishes to acknowledge the contributions of Microsoft for the information contained in this bulletin. _______________________________________________________________________________ CIAC, the Computer Incident Advisory Capability, is the computer security incident response team for the U.S. Department of Energy (DOE) and the emergency backup response team for the National Institutes of Health (NIH). CIAC is located at the Lawrence Livermore National Laboratory in Livermore, California. CIAC is also a founding member of FIRST, the Forum of Incident Response and Security Teams, a global organization established to foster cooperation and coordination among computer security teams worldwide. CIAC services are available to DOE, DOE contractors, and the NIH. CIAC can be contacted at: Voice: +1 925-422-8193 (7x24) FAX: +1 925-423-8002 STU-III: +1 925-423-2604 E-mail: ciac@ciac.org Previous CIAC notices, anti-virus software, and other information are available from the CIAC Computer Security Archive. World Wide Web: http://www.ciac.org/ Anonymous FTP: ftp.ciac.org PLEASE NOTE: Many users outside of the DOE, ESnet, and NIH computing communities receive CIAC bulletins. If you are not part of these communities, please contact your agency's response team to report incidents. Your agency's team will coordinate with CIAC. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained via WWW at http://www.first.org/. This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes. LAST 10 CIAC BULLETINS ISSUED (Previous bulletins available from CIAC) Q-106: kdelibs Buffer Overflow Q-107: sudo Vulnerabilities Q-108: Wine Q-109: Security Vulnerabilities in Sun StorEdge Enterprise Backup Software (EBS) Q-110: ImageMagick Q-111: HP Tru64 UNIX Running DNS BIND Q-112: Mozilla Security Update Q-113: Firefox Security Update Q-114: Security Vulnerability in Sun Java System Access Manager Q-115: Microsoft IE5 WMF Security Advisory