Protect yourself against future threats.
-----BEGIN PGP SIGNED MESSAGE----- =========================================================================== AUSCERT External Security Bulletin Redistribution ESB-2001.444 -- Microsoft Security Bulletin MS01-052 (Version 2.0) Invalid RDP Data can Cause Terminal Service Failure 23 October 2001 =========================================================================== AusCERT Security Bulletin Summary --------------------------------- Product: Terminal Service Vendor: Microsoft Operating System: Windows NT Server 4.0, Terminal Server Edition Windows 2000 Server Windows 2000 Advanced Server Windows 2000 Datacenter Server Impact: Denial of Service Access Required: Remote - --------------------------BEGIN INCLUDED TEXT-------------------- - -----BEGIN PGP SIGNED MESSAGE----- - - - - - ---------------------------------------------------------------------- Title: Invalid RDP Data can Cause Terminal Service Failure Date: 18 October 2001 Revised: 22 October 2001 (version 2.0) Software: Windows NT 4.0 Server, Terminal Server Edition, Windows 2000 Server and Advanced Server Impact: Denial of service Max Risk: Moderate Bulletin: MS01-052 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS01-052.asp. - - - - - - - - - ---------------------------------------------------------------------- Reason for Revision: ==================== On October 18, 2001 Microsoft released the original version of this bulletin. On October 19, 2001, an issue was identified with the Windows 2000 patch. The patch was withdrawn so that it could be updated and re-released. On October 22, 2001 the updated patch and bulletin were posted. We recommend that customers who installed the original version of the Windows 2000 patch install the updated version. Issue: ====== The implementation of the Remote Data Protocol (RDP) in the terminal service in Windows NT 4.0 and Windows 2000 does not correctly handle a particular series of data packets. If such a series of packets were received by an affected server, it would cause the server to fail. The server could be put back into normal service by rebooting it, but any work in progress at the time of the attack would be lost. It would not be necessary for an attacker to be able to start a session with an affected server in order to exploit this vulnerability - the only prerequisite would be the need to be able to send the correct series of packets to the RDP port on the server. Mitigating Factors: ==================== - There is no capability to breach the security of a terminal server session via this vulnerability, or to add, change or delete data on the server. It is a denial of service vulnerability only. - The specific sequence of data packets involved in this vulnerability cannot be generated as part of a legitimate terminal server session. Risk Rating: ============ - Internet systems: Low - Intranet systems: Moderate - Client systems: None Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms01-052.asp for information on obtaining this patch. Acknowledgment: =============== - Luciano Martins of Deloitte & Touche Argentina (http://www.deloitte.com.ar) - - - - - - - - - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. - -----BEGIN PGP SIGNATURE----- Version: PGP 7.1 iQEVAwUBO9RPa40ZSRQxA/UrAQFT0Qf/cLyEfyJL/wFRiknDPflLhlWPOaaRlYLw m0vZK8i0Ldl9gKs0VmMaQXQgYiDlzTzuPZ7YRlrS3UVsjMobM/UpsI/X7slnFGIf fgach+VUqwSbNZcm/Y8FuER0dxJ1sqwjjrYmaVodTD7pUGv5/4ovAhephos3Vz20 8See6sl5aqsdC2j1kGgpeleB9cR5sno17PfaiiacG2EDt4urRMhYSGn8rhzDH5kt 365A4N+LFDt0pyIvKsfk4q91UT6kO7YwfvBpjhqBkqs5mjJd9pw/YzL1kIBM7MjO fk+KV8mVTT3PoJf4yz385KwXt3wpcxuk592fQk8bHRs9bPvKVjfJaw== =HyTQ - -----END PGP SIGNATURE----- - --------------------------END INCLUDED TEXT-------------------- You have received this e-mail bulletin as a result of your organisation's registration with AusCERT. The mailing list you are subscribed to is maintained within your organisation, so if you do not wish to continue receiving these bulletins you should contact your local IT manager. If you do not know who that is, please send an email to auscert@auscert.org.au and we will forward your request to the appropriate person. This security bulletin is provided as a service to AusCERT's members. As AusCERT did not write the document quoted above, AusCERT has had no control over its content. The decision to use any or all of this information is the responsibility of each user or organisation, and should be done so in accordance with site policies and procedures. NOTE: This is only the original release of the security bulletin. It may not be updated when updates to the original are made. If downloading at a later date, it is recommended that the bulletin is retrieved directly from the original authors to ensure that the information is still current. Contact information for the authors of the original document is included in the Security Bulletin above. If you have any questions or need further information, please contact them directly. Previous advisories and external security bulletins can be retrieved from: http://www.auscert.org.au/Information/advisories.html If you believe that your system has been compromised, contact AusCERT or your representative in FIRST (Forum of Incident Response and Security Teams). Internet Email: auscert@auscert.org.au Facsimile: (07) 3365 7031 Telephone: (07) 3365 4417 (International: +61 7 3365 4417) AusCERT personnel answer during Queensland business hours which are GMT+10:00 (AEST). On call after hours for emergencies. -----BEGIN PGP SIGNATURE----- Version: 2.6.3i Charset: noconv Comment: ftp://ftp.auscert.org.au/pub/auscert/AUSCERT_PGP.key iQCVAwUBO9VfAyh9+71yA2DNAQFMegP/QeQl5SvOCVU3Tr4LFbZ1rBhaUVNSUSbi WKXigw87VzEtST/MEQkGttJHN6noDhxfmVmYYJEHxYhQ4DxiK3OWKgkchvnzLG24 Q3yCePAPvZUfdddz/b1dUSvUFKzzHptN4atbLldNcmIkhnAwY1JYRYXeUN5BhlKr 1uba5WjuZj8= =lfLB -----END PGP SIGNATURE-----