Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
AUSCERT External Security Bulletin Redistribution
ESB-2006.0456 -- [Win]
MS06-035 Vulnerability in Server Service Could Allow Remote Code Execution
12 July 2006
===========================================================================
AusCERT Security Bulletin Summary
---------------------------------
Product: Server service
Publisher: Microsoft
Operating System: Windows Server 2003 x64 Edition
Windows Server 2003 Itanium SP1
Windows Server 2003 Itanium
Windows Server 2003 SP1
Windows Server 2003
Windows XP Professional x64 Edition
Windows XP SP1 and SP2
Windows 2000 SP 4
Impact: Execute Arbitrary Code/Commands
Access Privileged Data
Access: Remote/Unauthenticated
CVE Names: CVE-2006-1315 CVE-2006-1314
Original Bulletin:
http://www.microsoft.com/technet/security/Bulletin/MS06-035.mspx
Comment: This bulletin refers to two separate vulnerabilities. The more
serious of the two may allow the remote execution of arbitrary
code. The other is an information disclosure vulnerability. Note
that both of these vulnerabilities are fixed by the patch.
- --------------------------BEGIN INCLUDED TEXT--------------------
MS06-035 Vulnerability in Server Service Could Allow Remote Code Execution
CVE-2006-1315 CVE-2006-1314
Affected Software:
- Microsoft Windows 2000 Service Pack 4
- Microsoft Windows XP Service Pack 1
- Microsoft Windows XP Service Pack 2
- Microsoft Windows XP Professional x64 Edition
- Microsoft Windows Server 2003
- Microsoft Windows Server 2003 Service Pack 1
- Microsoft Windows Server 2003 for Itanium-based Systems
- Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
- Microsoft Windows Server 2003 x64 Edition
Non-Affected Software:
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition (SE)
- Microsoft Windows Millennium Edition (Me)
CVE-2006-1314 - Mailslot Heap Overflow Vulnerability
====================================================
There is a remote code execution vulnerability in the Server driver that
could allow an attacker who successfully exploited this vulnerability to
take complete control of the affected system.
Mitigating Factors
- ------------------
Firewall best practices and standard default firewall configurations can
help protect networks from attacks that originate outside the enterprise
perimeter. Best practices recommend that systems that are connected to the
Internet have a minimal number of ports exposed.
Microsoft Windows XP Service Pack 2 and Microsoft Windows Server 2003
Service Pack 1 do not have services listening on Mailslots in default
configurations.
Attempts to exploit this vulnerability will most probably result in a
Denial of Service condition caused by an unexpected restart of the
affected system rather than Remote Code Execution.
Workarounds
- -----------
Microsoft has tested the following workarounds. Although these workarounds
will not correct the underlying vulnerability, they help block known attack
vectors.
- Block TCP port 445 at the firewall:
This port is used to initiate a connection with the affected component.
Blocking TCP port 445 at the firewall will help protect systems that are
behind that firewall from attempts to exploit this vulnerability. We
recommend that you block all unsolicited inbound communication from the
Internet to help prevent attacks that may use other ports.
- To help protect from network-based attempts to exploit this vulnerability,
use a personal firewall, such as the Internet Connection Firewall, which
is included with Windows XP and with Windows Server 2003.
By default, the Internet Connection Firewall feature in Windows XP and in
Windows Server 2003 helps protect your Internet connection by blocking
unsolicited incoming traffic. We recommend that you block all unsolicited
incoming communication from the Internet. In Windows XP Service Pack 2
this features is called the Windows Firewall.
To enable the Internet Connection Firewall feature by using the Network
Setup Wizard, follow these steps:
1. Click Start, and then click Control Panel.
2. In the default Category View, click Network and Internet Connections,
and then click Setup or change your home or small office network. The
Internet Connection Firewall feature is enabled when you select a
configuration in the Network Setup Wizard that indicates that your
system is connected directly to the Internet.
To configure Internet Connection Firewall manually for a connection,
follow these steps:
1. Click Start, and then click Control Panel.
2. In the default Category View, click Networking and Internet
Connections, and then click Network Connections.
3. Right-click the connection on which you want to enable Internet
Connection Firewall, and then click Properties.
4. Click the Advanced tab.
5. Click to select the Protect my computer or network by limiting or
preventing access to this computer from the Internet check box, and
then click OK.
Note: If you want to enable certain programs and services to communicate
through the firewall, click Settings on the Advanced tab, and then
select the programs, the protocols, and the services that are
required.
- To help protect from network-based attempts to exploit this vulnerability,
enable advanced TCP/IP filtering on systems that support this feature.
You can enable advanced TCP/IP filtering to block all unsolicited inbound
traffic. For more information about how to configure TCP/IP filtering,
see Microsoft Knowledge Base Article 309798.
- To help protect from network-based attempts to exploit this vulnerability,
block the affected ports by using IPSec on the affected systems.
Use Internet Protocol security (IPSec) to help protect network
communications. Detailed information about IPSec and about how to apply
filters is available in Microsoft Knowledge Base Article 313190 and
Microsoft Knowledge Base Article 813878.
CVE-2006-1315 - SMB Information Disclosure Vulnerability
========================================================
There is an information disclosure vulnerability in the Server service that
could allow an attacker to view fragments of memory used to store SMB
traffic during transport.
Mitigating Factors
- ------------------
Firewall best practices and standard default firewall configurations can
help protect networks from attacks that originate outside the enterprise
perimeter. Best practices recommend that systems that are connected to the
Internet have a minimal number of ports exposed.
For customers who require the affected component, firewall best practices
and standard default firewall configurations can help protect networks from
attacks that originate outside the enterprise perimeter. Best practices
recommend that systems that are connected to the Internet have a minimal
number of ports exposed.
On Windows 2000, Windows XP Service Pack 1, and Windows Server 2003, an
attacker must have valid logon credentials to exploit this vulnerability.
The vulnerability could not exploited by anonymous users. However, the
affected component is available remotely to users who have standard user
accounts. In certain configurations, anonymous users could authenticate as
the Guest account. For more information, see Microsoft Security Advisory
906574.
Firewall best practices and standard default firewall configurations can help
protect networks from attacks that originate outside the enterprise perimeter.
Best practices recommend that systems that are connected to the Internet have
a minimal number of ports exposed.
Workarounds
- -----------
Microsoft has tested the following workarounds. Although these workarounds
will not correct the underlying vulnerability, they help block known attack
vectors.
Note: Other protocols such as Internetwork Packet Exchange (IPX) and
Sequenced Packet Exchange (SPX) could be vulnerable to this issue. If
vulnerable protocols such as IPX and SPX are in use, it is important to
block the appropriate ports for those protocols as well.
- Block TCP ports 139 and 445 at the firewall
These ports are used to initiate a connection with the affected protocol.
Blocking them at the firewall, both inbound and outbound, will help prevent
systems that are behind that firewall from attempts to exploit this
vulnerability. We recommend that you block all unsolicited inbound
communication from the Internet to help prevent attacks that may use other
ports.
- To help protect from network-based attempts to exploit this vulnerability,
use a personal firewall, such as the Internet Connection Firewall, which
is included with Windows XP and with Windows Server 2003.
By default, the Internet Connection Firewall feature in Windows XP and in
Windows Server 2003 helps protect your Internet connection by blocking
unsolicited incoming traffic. We recommend that you block all unsolicited
incoming communication from the Internet.
To enable the Internet Connection Firewall feature by using the Network
Setup Wizard, follow these steps:
1. Click Start, and then click Control Panel.
2. In the default Category View, click Network and Internet Connections,
and then click Setup or change your home or small office network. The
Internet Connection Firewall feature is enabled when you select a
configuration in the Network Setup Wizard that indicates that your
system is connected directly to the Internet.
To configure Internet Connection Firewall manually for a connection,
follow these steps:
1. Click Start, and then click Control Panel.
2. In the default Category View, click Networking and Internet
Connections, and then click Network Connections.
3. Right-click the connection on which you want to enable Internet
Connection Firewall, and then click Properties.
4. Click the Advanced tab.
5. Click to select the Protect my computer or network by limiting or
preventing access to this computer from the Internet check box, and
then click OK.
Note: If you want to enable certain programs and services to communicate
through the firewall, click Settings on the Advanced tab, and then
select the programs, the protocols, and the services that are
required.
- To help protect from network-based attempts to exploit this vulnerability,
enable advanced TCP/IP filtering on systems that support this feature.
You can enable advanced TCP/IP filtering to block all unsolicited inbound
traffic. For more information about how to configure TCP/IP filtering,
see Microsoft Knowledge Base Article 309798.
- To help protect from network-based attempts to exploit this vulnerability,
block the affected ports by using IPSec on the affected systems.
Use Internet Protocol security (IPSec) to help protect network
communications. Detailed information about IPSec and about how to apply
filters is available in Microsoft Knowledge Base Article 313190 and
Microsoft Knowledge Base Article 813878.
- --------------------------END INCLUDED TEXT--------------------
You have received this e-mail bulletin as a result of your organisation's
registration with AusCERT. The mailing list you are subscribed to is
maintained within your organisation, so if you do not wish to continue
receiving these bulletins you should contact your local IT manager. If
you do not know who that is, please send an email to auscert@auscert.org.au
and we will forward your request to the appropriate person.
NOTE: Third Party Rights
This security bulletin is provided as a service to AusCERT's members. As
AusCERT did not write the document quoted above, AusCERT has had no control
over its content. The decision to follow or act on information or advice
contained in this security bulletin is the responsibility of each user or
organisation, and should be considered in accordance with your organisation's
site policies and procedures. AusCERT takes no responsibility for consequences
which may arise from following or acting on information or advice contained in
this security bulletin.
NOTE: This is only the original release of the security bulletin. It may
not be updated when updates to the original are made. If downloading at
a later date, it is recommended that the bulletin is retrieved directly
from the author's website to ensure that the information is still current.
Contact information for the authors of the original document is included
in the Security Bulletin above. If you have any questions or need further
information, please contact them directly.
Previous advisories and external security bulletins can be retrieved from:
http://www.auscert.org.au/render.html?cid=1980
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBRLRynCh9+71yA2DNAQIEsQP8DXaOV6IahKciPBYUQo/OdcVzFmanoHd7
wuQBUmdXkA9CBzcYWZFrvK+77vWAIyM+u2k2z644n2OK9F0XkRVAZ4lJjCpd40vy
roT5DAy3IwWTBGifPITqnQWiaaqt0FZi7+2YhZ2CDL2AglJNjl+2qHxp59yftDSj
7ysY4d/BfuM=
=NJ70
-----END PGP SIGNATURE-----