[SECURITY-L] CAIS-Alerta: Vulnerabilidade remota no Microsoft Commerce Server 2000
Daniela Regina Barbetti
daniela em ccuec.unicamp.br
Seg Fev 25 11:49:42 -03 2002
----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----
From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade remota no Microsoft Commerce Server
2000
To: <rnp-alerta em cais.rnp.br>, <rnp-seg em cais.rnp.br>
Date: Fri, 22 Feb 2002 17:24:31 -0300 (EST)
-----BEGIN PGP SIGNED MESSAGE-----
Prezados,
O CAIS esta' repassando o alerta da Microsoft, Microsoft Security Bulletin
MS02-010, tratando de uma falha no filtro ISAPI que pode permitir o acesso
remoto ao Microsoft Commerce Server 2000.
O Commerce Server 2000 instala um arquivo .dll com um filtro ISAPI que
permite ao servidor prover funcionalidades adicionais em resposta a
eventos no servidor. Este filtro, chamado AuthFilter, prove suporte a uma
serie de metodos de autenticacao. O Commerce Server 2000 pode ser
configurado para utilizar outros metodos de autenticacao.
A vulnerabilidade ocorre devido a uma falha no filtro AuthFilter que
contem um buffer nao verificado em uma secao do codigo que lida com
alguns tipos de requisicoes de autenticacao.
Um atacante pode enviar dados de autenticacao que pode causar uma
interrupcao no processo do Commerce Server ou permitir que codigo
arbritario seja executado no contexto de seguranca do processo do
Commerce Server. O processo roda com privilegios de LocalSystem, o que
permite ao atacante o controle completo do servidor.
Sistemas Afetados:
. Microsoft Commerce Server 2000
Correcoes disponiveis:
. Microsoft Commerce Server 2000
http://www.microsoft.com/Downloads/Release.asp?ReleaseID=36683
Maiores informacoes:
http://www.microsoft.com/technet/security/bulletin/MS02-010.asp
Identificador do CVE: CAN-2002-0050 (http://cve.mitre.org)
O CAIS recomenda fortemente aos administradores de sistemas Windows que
atualizem seus sistemas em virtude da gravidade desta vulnerabilidade.
Atenciosamente,
################################################################
# CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP #
# #
# cais em cais.rnp.br http://www.cais.rnp.br #
# Tel. 019-37873300 Fax. 019-37873301 #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################
- ----------------------------------------------------------------------
Title: Unchecked Buffer in ISAPI Filter Could Allow Commerce
Server Compromise
Date: 21 February 2002
Software: Commerce Server 2000
Impact: Run code of attacker's choice.
Max Risk: Critical
Bulletin: MS02-010
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulletin/MS02-010.asp.
- ----------------------------------------------------------------------
Issue:
======
By default, Commerce Server 2000 installs a .dll with an ISAPI
filter that allows the server to provide extended functionality in
response to events on the server. This filter, called AuthFilter,
provides support for a variety of authentication methods.
Commerce Server 2000 can also be configured to use other
authentication methods.
A security vulnerability results because AuthFilter contains an
unchecked buffer in a section of code that handles certain types
of authentication requests. An attacker who provided
authentication data that overran the buffer could cause the
Commerce Server process to fail, or could run code in the
security context of the Commerce Server process. The
process runs with LocalSystem privileges, so exploiting the
vulnerability would give the attacker complete control of
the server.
Mitigating Factors:
====================
- Although Commerce Server 2000 does rely on IIS for its base
web services, the AuthFilter ISAPI filter is only available
as part of Commerce Server. Customers using IIS are at no
risk from this vulnerability.
- The URLScan tool, if deployed using the default ruleset for
Commerce Server, would make it difficult if not impossible
for an attacker to exploit the vulnerability to run code,
by significantly limiting the types of data that could be
included in an URL. It would, however, still be possible
to conduct denial of service attacks.
- An attacker's ability to extend control from a compromised
web server to other machines would depend heavily on the
specific configuration of the network. Best practices recommend
that the network architecture account for the inherent high-risk
that machines in an uncontrolled environment, like the Internet,
face by minimizing overall exposure though measures like DMZ's,
operating with minimal services and isolating contact with
internal networks. Steps like this can limit overall exposure
and impede an attacker's ability to broaden the scope of a
possible compromise.
- While the ISAPI filter is installed by default, it is not loaded
on any web site by default. It must be enabled through the
Commerce Server Administration Console in the Microsoft
Management Console (MMC).
Risk Rating:
============
- Internet systems: Critical
- Intranet systems: Critical
- Client systems: None
Patch Availability:
===================
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulletin/ms02-010.asp
for information on obtaining this patch.
- ---------------------------------------------------------------------
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
ALL
WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
IN NO EVENT
SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
DAMAGES
WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
LOSS OF
BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
ITS
SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO
NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR
INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.
*******************************************************************
You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
To cancel your subscription, click on the following link mailto:1_26140_2BE60FCA-5EED-4C3F-8390-E11E2B14D589_BR em Newsletters.Microsoft.com?subject=UNSUBSCRIBE to create an unsubscribe e-mail.
To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_26140_2BE60FCA-5EED-4C3F-8390-E11E2B14D589_BR em Newsletters.Microsoft.com?subject=STOPMAIL to create an unsubscribe e-mail. You can manage all your Microsoft.com communication preferences from http://www.microsoft.com/misc/unsubscribe.htm
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
- ------------ Output from pgp ------------
Good signature made 2002-02-22 00:30 GMT by key:
2048 bits, Key ID 3103F52B, Created 2000-01-22
"Microsoft Security Response Center <secure em microsoft.com>"
WARNING: The signing key is not trusted to belong to:
Microsoft Security Response Center <secure em microsoft.com>
-----BEGIN PGP SIGNATURE-----
Version: PGPfreeware 5.0i for non-commercial use
Charset: noconv
iQCVAwUBPHapB+kli63F4U8VAQFpBAP/biSFAbCeH3e7jpKvG5nbMNZ/hpwTdm9a
GF6QvmIl2sOwqXXsYxOIfwXfGSuqRrygcm22heeny0dirbL64J9+pPzlW1YVPX9W
gio0hwvYY0jNsnmehwqrOmW73/bzwCbYpIxj6rgUR/8XWxW2aHg6igRS9MW6etev
sN57o9BUgbE=
=3Snj
-----END PGP SIGNATURE-----
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L