AUSCERT External Security Bulletin Redistribution

                 ESB-2004.0077 -- Cisco Security Advisory
  Buffer Overrun in Microsoft Windows 2000 Workstation Service (MS03-049)
                              30 January 2004


        AusCERT Security Bulletin Summary

Product:                Cisco CallManager
                        Cisco Building Broadband Service Manager (BBSM)
                        Cisco Customer Response Application Server (CRA)
                        Cisco Personal Assistant (PA)
                        Cisco Conference Connection (CCC)
                        Cisco Emergency Responder (CER)
                        Cisco IP Call Center Express (IPCC Express)
                        Cisco Internet Service Node (ISN)
                        All Cisco products which run on Windows 2000
Publisher:              Cisco Systems
Operating System:       Windows 2000
Impact:                 Administrator Compromise
                        Denial of Service
Access Required:        Remote
CVE Names:              CAN-2003-0812

Ref:                    AL-2003.23

- --------------------------BEGIN INCLUDED TEXT--------------------

Hash: SHA1

Cisco Security Advisory: Buffer Overrun in Microsoft Windows 2000
Workstation Service (MS03-049)

Revision 1.0 - FINAL

For Public Release 2004 January 29 18:00 UTC (GMT)

- - -----------------------------------------------------------------------


    Affected Products
    Software Versions and Fixes
    Obtaining Fixed Software
    Exploitation and Public Announcements
    Status of This Notice: FINAL
    Revision History
    Cisco Security Procedures

- - -----------------------------------------------------------------------


This advisory describes a vulnerability that affects Cisco products and
applications running on Microsoft Windows 2000.

A vulnerability has been discovered that enables an attacker to execute
arbitrary code or perform a denial of service (DoS) against the server.
These vulnerabilities were discovered and publicly announced by
Microsoft in their Microsoft Security Bulletin MS03-049. More
information about the vulnerability can be found at the following URL:


All Cisco products and applications that are using unpatched Microsoft
Windows 2000 are vulnerable.

This advisory is available at:


Affected Products

To determine if a product is vulnerable, review the list below. If the
software versions or configuration information are provided, then only
those combinations are vulnerable. This is a list of appliance software
which needs patches downloaded from Cisco.

  * Cisco CallManager
  * Cisco Building Broadband Service Manager (BBSM)
      + BBSM Version 5.2
      + HotSpot 1.0
  * Cisco Customer Response Application Server (CRA)
  * Cisco Personal Assistant (PA)
  * Cisco Conference Connection (CCC)
  * Cisco Emergency Responder (CER)
  * Cisco IP Call Center Express (IPCC Express)
  * Cisco Internet Service Node (ISN)
Other Cisco products which run on a Microsoft based operating system
should strongly consider loading the patch from Microsoft at the
following URL:


This list is not all inclusive. Please refer to Microsoft's bulletin if
you think you have an affected Microsoft platform.

  * Cisco Unity
  * Cisco Building Broadband Service Manager (BBSM) versions 5.1 and
  * Cisco uOne Enterprise Edition
  * Cisco Latitude products
  * Cisco Network Registrar (CNR)
  * Cisco Internet Service Node (ISN)
  * Cisco Intelligent Contact Manager (ICM) (Hosted and Enterprise)
  * Cisco IP Contact Center (IPCC) (Express and Enterprise)
  * Cisco E-mail Manager (CEM)
  * Cisco Collaboration Server (CCS)
  * Cisco Dynamic Content Adapter (DCA)
  * Cisco Media Blender (CMB)
  * TrailHead (Part of the Web Gateway solution)
  * Cisco Networking Services for Active Directory (CNS/AD)
  * Cisco SN 5400 Series Storage Routers (driver to interface to
    Windows server)
  * CiscoWorks
      + CiscoWorks VPN/Security Management Solution (CWVMS)
      + User Registration Tool
      + Lan Management Solution
      + Routed WAN Management
      + Service Management
      + VPN/Security Management Solution
      + IP Telephony Environment Monitor
      + Small Network Management Solution
      + QoS Policy Manager
      + Voice Manager
  * Cisco Transport Manager (CTM)
  * Cisco Broadband Troubleshooter (CBT)
  * DOCSIS CPE Configurator
  * Cisco Secure Applications
      + Cisco Secure Scanner
      + Cisco Secure Policy Manager (CSPM)
      + Access Control Server (ACS)
  * Videoconferencing Applications
      + IP/VC 3540 Video Rate Matching Module
      + IP/VC 3540 Application Server
  * Cisco IP/TV Server

Default installations of Microsoft Windows 2000 Server automatically
enable the Workstation service. This vulnerability is not isolated to
Microsoft Windows 2000 Workstation edition.

The Microsoft Windows 2000 Workstation service is vulnerable to buffer
overflows and denial of service (DoS) attacks. This vulnerability can
be exploited to execute arbitrary code on a computer system or to
disrupt normal operation of the server.

The vulnerability has been described in more detail at the following



According to Microsoft, an attacker could gain System privileges on an
affected system, or could cause the Workstation service to fail. For a
full list of symptoms and for the most up to date information, please
see Microsoft's Bulletin at the following URL:


Software Versions and Fixes

Affected Cisco IP Telephony Applications: for all versions of Cisco
CallManager and all compatible versions of Cisco IP Interactive Voice
Response (IP IVR), Cisco IP Call Center Express (IPCC Express), Cisco
Personal Assistant (PA), Cisco Emergency Responder (CER), Cisco
Conference Connection (CCC), and Cisco Internet Service Node (ISN).

Customers should apply the win-OS-Upgrade-k9.2000-2-5sr4.exe or later
package located at the following URL: 


Cisco Building Broadband Service Manager

For BBSM Version 5.2, apply BBSM52SP2.exe found at the following URL: 


Instructions for installing service patches on BBSM can be found at the
following URL: 


Cisco HotSpot 1.0

For HotSpot1.0, apply Service Pack 1 available at the following URL: 


Obtaining Fixed Software

Where Cisco provides the operating system bundled with the product,
Cisco is offering software upgrades free of charge to address these
vulnerabilities for all affected customers. Customers may only install
and expect support for the feature sets they have purchased.

Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.

Customers whose Cisco products are provided or maintained through prior
or existing agreement with third-party support organizations such as
Cisco Partners, authorized resellers, or service providers should
contact that support organization for assistance with the upgrade,
which should be free of charge.

Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows.

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac@cisco.com
Please have your product serial number available and give the URL of
this notice as evidence of your entitlement to a free upgrade. Free
upgrades for non-contract customers must be requested through the TAC.

Please do not contact either "psirt@cisco.com" or
"security-alert@cisco.com" for software upgrades.

If you need assistance with the implementation of the workarounds, or
have questions on the workarounds, please contact the Cisco Technical
Assistance Center (TAC).

  * +1 800 553 2447 (toll free from within North America)
  * +1 408 526 7209 (toll call from anywhere in the world)
  * e-mail: tac@cisco.com
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.


Currently there are no known active worms exploiting this
vulnerability. However, users can protect themselves from the potential
infection by applying access control lists (ACLs).

The Workstation service receives packets on UDP and TCP ports 138, 139
and 445. Restricting traffic to these ports may help mitigate the
spread of any worm that exploits this vulnerability. Restricting
traffic to these ports may also help prevent improper access, DoS, and
other non-worm related exploitation.

Please also reference the Microsoft posting for additional workarounds:


Customers who have firewalls, or have deployed Network Intrusion
Detection Systems (NIDS) and/or Host Intrusion Detection Systems (HIDS)
in their network may be able to use these devices to detect attempted
exploitation or protect themselves from exploitation of this
vulnerability. Customers with these products should refer to their
product documentation from their vendor for information on how to
properly configure these devices.

Customers who have Cisco IDS devices installed in their network can
find more information at the following URL: 


Exploitation and Public Announcements

The Cisco PSIRT is not aware of any active exploitation of this

Status of This Notice: FINAL

This is a final advisory. Although Cisco cannot guarantee the accuracy
of all statements in this advisory, all of the facts have been checked
to the best of our ability. Cisco does not anticipate issuing updated
versions of this advisory. Should there be a significant, material
change in the facts, Cisco may update this advisory.

A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.


This advisory will be posted on Cisco's worldwide website at 


In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.

  * cust-security-announce@cisco.com
  * bugtraq@securityfocus.com
  * full-disclosure@lists.netsys.com
  * vulnwatch@vulnwatch.org
  * first-teams@first.org (includes CERT/CC)
  * cisco@spot.colorado.edu
  * cisco-voip@puck.nether.net
  * comp.dcom.sys.cisco
  * Various internal Cisco mailing lists
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.

Revision History

| Revision |                 | Initial   |
| 1.0      | 2004-January-29 | public    |
|          |                 | release.  |

Cisco Security Procedures

Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at:


This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at

Version: GnuPG v1.2.3 (SunOS)


- --------------------------END INCLUDED TEXT--------------------

You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.

This security bulletin is provided as a service to AusCERT's members.  As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.

NOTE: This is only the original release of the security bulletin.  It may
not be updated when updates to the original are made.  If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.

Contact information for the authors of the original document is included
in the Security Bulletin above.  If you have any questions or need further
information, please contact them directly.

Previous advisories and external security bulletins can be retrieved from:


If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:


Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business 
                hours which are GMT+10:00 (AEST).  On call after hours 
                for member emergencies only.
Comment: http://www.auscert.org.au/render.html?it=1967