Microsoft SMB Signing Flaw May Let Remote Users With Access to an SMB Session Gain Control of a Network Client
|
|
SecurityTracker Alert ID: 1005796 |
|
CVE Reference: CAN-2002-1256
(Links to External Site)
|
Date: Dec 12 2002
|
Impact: Disclosure of system information, Disclosure of user information, Modification of system information, Modification of user information, Root access via network
|
Fix Available: Yes
Vendor Confirmed: Yes
|
Version(s): Windows 2000, XP
|
Description: A vulnerability was reported in the Server Message Block (SMB) protocol implementation in Microsoft Windows 2000 and XP. A remote
user with access to the SMB packet stream between a network client and server could gain access to the client.
It is reported that the SMB protocol, used for (among other things) disseminating group policy information from domain controllers
to newly logged on systems, contains a flaw in applying digital signatures. A remote user with access to the SMB packet stream
could cause the SMB Signing settings to be "silently downgraded."
A remote user with access to the session negotiation packet
stream could reportedly modify the data stream to cause either or both target system to send unsigned data instead of using the
signing policy set by the administrator. Once the packet data is transmitted in an unsigned format, the remote user could then
modify the session data without detection.
It is reported that Windows XP clients with SP1 may inadvertently trigger the flaw.
According to Microsoft, Windows XP SP1 contained a regression error that adds information to the SMB Signing negotiation information
that can cause Windows XP Gold or Windows 2000 systems to drop SMB signing. However, XP SP1 is not vulnerable.
|
Impact: According to the report, the most serious impact would be the modification of group policy information transmitted from a Windows
2000 domain controller to a target network client that has just logged on. This would enable the remote user to take control of
the target network client.
|
Solution: Microsoft has released the following patches:
For Microsoft Windows 2000:
* All languages except NEC Japanese:
http://microsoft.com/downloads/details.aspx?FamilyI
d=52EAC216-A360-4E2D-9C6B-AD4D31C40BA2&displaylang=en
* Japanese NEC:
http://microsoft.com/downloads/details.aspx?FamilyId=F4119765-846B-491C-B162-BE06BD432828&disp
laylang=ja
For Microsoft Windows XP:
* 32-bit Edition:
http://microsoft.com/downloads/details.aspx?FamilyId=77B49431-742B-4426-AD45-F09D3AED16CB&displaylang=en
* 64-bit Edition:
http://microsoft.com/downloads/details.aspx?FamilyId=580FCE68-B7E2-4BF9-8A16-54D1E39F2168&displaylang=en
Microsoft
notes that the Windows 2000 patch can be applied to Windows 2000 SP2 or SP3 and the Windows XP patch can be installed on Windows
XP Gold.
The fix for this issue is included in Windows XP SP1 and will be included in Windows 2000 SP4.
Microsoft plans to
issue Knowledge Base article 309376 regarding this issue, to be available approximately shortly on the Microsoft Online Support
web site at:
http://support.microsoft.com/?scid=fh;en-us;kbhowto
|
Vendor URL: www.microsoft.com/technet/security/bulletin/MS02-070.asp (Links to External Site)
|
Cause: Exception handling error, State error
|
Underlying OS: Windows (2000), Windows (XP)
|
|
Message History:
None.
|
Source Message Contents
|
Date: Thu, 12 Dec 2002 02:16:33 -0500
Subject: MS02-070
|
http://www.microsoft.com/technet/security/bulletin/MS02-070.asp
"Flaw in SMB Signing Could Enable Group Policy to be Modified (309376)"
Microsoft issued Security Bulletin MS02-070 warning of a flaw in SMB signing on Windows
2000 and Windows XP systems.
It is reported that the Server Message Block (SMB) protocol, used for (among other things)
disseminating group policy information from domain controllers to newly logged on systems,
contains a flaw in applying digital signatures. A remote user with access to the SMB
packet stream could cause the SMB Signing settings to be "silently downgraded."
A remote user with access to the session negotiation packet stream could reportedly modify
the data stream to cause either or both target system to send unsigned data instead of
using the signing policy set by the administrator. Once the packet data is transmitted in
an unsigned format, the remote user could then modify the session data without detection.
According to the report, the most serious impact would be the modification of group policy
information transmitted from a Windows 2000 domain controller to a target network client
that has just logged on. This would enable the remote user to take control of the target
network client.
It is reported that Windows XP clients with SP1 may inadvertently trigger the flaw.
According to Microsoft, Windows XP SP1 contained a regression error that adds information
to the SMB Signing negotiation information that can cause Windows XP Gold or Windows 2000
systems to drop SMB signing.
Microsoft has released the following patches:
For Microsoft Windows 2000:
* All languages except NEC Japanese:
http://microsoft.com/downloads/details.aspx?FamilyId=52EAC216-A360-4E2D-9C6B-AD4D31C40BA2&display
lang=en
* Japanese NEC:
http://microsoft.com/downloads/details.aspx?FamilyId=F4119765-846B-491C-B162-BE06BD432828&display
lang=ja
For Microsoft Windows XP:
* 32-bit Edition:
http://microsoft.com/downloads/details.aspx?FamilyId=77B49431-742B-4426-AD45-F09D3AED16CB&display
lang=en
* 64-bit Edition:
http://microsoft.com/downloads/details.aspx?FamilyId=580FCE68-B7E2-4BF9-8A16-54D1E39F2168&display
lang=en
Microsoft notes that the Windows 2000 patch can be applied to Windows 2000 SP2 or SP3 and
the Windows XP patch can be installed on Windows XP Gold.
The fix for this issue is included in Windows XP SP1 and will be included in Windows 2000
SP4.
Microsoft plans to issue Knowledge Base article 309376 regarding this issue, to be
available approximately shortly on the Microsoft Online Support web site at:
http://support.microsoft.com/?scid=fh;en-us;kbhowto
CVE number: CAN-2002-1256
Maximum Severity Rating: Moderate
|
|
