Microsoft Windows XP Named Pipe Validation Error Lets Remote Users Obtain Information
|
|
SecurityTracker Alert ID: 1013112 |
|
SecurityTracker URL: http://securitytracker.com/id/1013112
|
|
CVE Reference:
CAN-2005-0051
(Links to External Site)
|
Date: Feb 8 2005
|
Impact:
Disclosure of system information, Disclosure of user information
|
Fix Available: Yes Vendor Confirmed: Yes
|
Version(s): XP SP1 and SP2
|
Description:
A vulnerability was reported in Microsoft Windows XP in the processing of named pipes. A remote user can determine certain usernames on the target system.
The vendor reported that the software does not properly validate authentication information when a remote user establishes an anonymous logon by using a named pipe connection. A remote user can send specially crafted requests to determine the usernames for user accounts that have an open connection to a share resource.
The vendor credits Jean-Baptiste Marchand of Herve Schauer Consultants with reporting this flaw.
|
Impact:
A remote user can determine the user names for users that have an open connection to an available shared resource.
|
Solution:
The vendor has issued the following fixes:
Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2:
http://www.microsoft.com/downloads/details.aspx?FamilyId=B8C867C2-B7CD-4E2F-90E0-169B2C7125DC
Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium):
http://www.microsoft.com/downloads/details.aspx?FamilyId=2F68945E-EEB8-42BC-A8AD-0D3991204889
A restart is not required.
|
Vendor URL: www.microsoft.com/technet/security/bulletin/ms05-007.mspx (Links to External Site)
|
Cause:
Access control error
|
Underlying OS:
|
|
Message History:
None.
|
Source Message Contents
|
Date: Tue, 8 Feb 2005 03:39:45 -0500
Subject: [none]
|
Microsoft Windows
|
|
