[SECURITY-L] [cais em cais.rnp.br: CAIS-Alerta: Patch Acumulativo para o Microsoft BizTalk Server (815206)]

Silvana Mieko Misuta mieko em ccuec.unicamp.br
Seg Maio 5 15:05:18 -03 2003 

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Patch Acumulativo para o Microsoft BizTalk Server
 (815206)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Mon, 5 May 2003 14:42:32 -0300 (BRT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS está repassando o alerta divulgado pela Microsoft, Microsoft
Security Bulletin MS03-016: Cumulative Patch for BizTalk Server (815206),
que trata da disponibilização de patch acumulativo para o Microsoft
BizTalk Server 2000 e 2002.


Sistemas Afetados:

	. Microsoft BizTalk Server 2000
	. Microsoft BizTalk Server 2002


Correções disponíveis:

A correção consiste na aplicação do patch recomendado pela Microsoft e
disponível em:

    	. Microsoft BizTalk Server 2000:

http://microsoft.com/downloads/details.aspx?FamilyId=001E93E4-0E6E-4289-AEFE-9161D2E5AF97&displaylang=en

   	.  Microsoft BizTalk Server 2002:

http://microsoft.com/downloads/details.aspx?FamilyId=A05344FE-2622-4887-AA45-3DE7C4ED3C75&displaylang=en


Maiores informações:

http://www.microsoft.com/technet/security/bulletin/ms03-016.asp


Identificadores do CVE: CAN-2003-0117, CAN-2003-0118
                        (http://cve.mitre.org)


O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.


Atenciosamente,


################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################


- --------------------------------------------------------------------
Title:      Cumulative Patch for BizTalk Server (815206)
Date:       30 April 2003
Software:   Microsoft BizTalk Server 2000 & BizTalk Server 2002
Impact:     Two vulnerabilities, the most serious of which could
            allow an attacker to run code of their choice
Max Risk:   Important
Bulletin:   MS03-016

Microsoft encourages customers to review the Security Bulletins
at: http://www.microsoft.com/technet/security/bulletin/MS03-016.asp
http://www.microsoft.com/security/security_bulletins/ms03-016.asp
- --------------------------------------------------------------------

Issue:
======

Microsoft BizTalk Server is an Enterprise Integration product
that allows organizations to integrate applications, trading
partners, and business processes. BizTalk is used in intranet
environments to transfer business documents between different
back-end systems as well as extranet environments to exchange
structured messages with trading partners. This patch addresses
two newly reported vulnerabilities in BizTalk Server.

The first vulnerability affects Microsoft BizTalk Server 2002
only. BizTalk Server 2002 provides the ability to exchange
documents using the HTTP format. A buffer overrun exists in the
component used to receive HTTP documents - the HTTP receiver -
and could result in an attacker being able to execute code of
their choice on the BizTalk Server.

The second vulnerability affects both Microsoft BizTalk Server
2000 and BizTalk Server 2002. BizTalk Server provides the ability
for administrators to manage documents via a Document Tracking
and Administration (DTA) web interface. A SQL injection
vulnerability exists in some of the pages used by DTA that could
allow an attacker to send a crafted URL query string to a
legitimate DTA user. If that user were to then navigate to the
URL sent by the attacker, he or she could execute a malicious
embedded SQL statement in the query string.

Mitigating Factors:
====================

HTTP Receiver Buffer Overflow

- -The HTTP Receiver is only present in Microsoft BizTalk Server
2002. BizTalk Server 2000 is not affected by this vulnerability.

- -The HTTP receiver is not enabled by default. HTTP must be
explicitly enabled as a receive transport during the setup of a
BizTalk site.

- -If the vulnerability was exploited to run arbitrary code, the
code would run in the security context of the IIS Server. If the
IIS Server is running under a user account, the attacker's
permissions will be limited to those of this user account.

DTA SQL Injection

- -DTA users by default are not highly privileged SQL users such as
database owners, since they are only required to be members of
"BizTalk Server Report Users" security group in order to use DTA
web interface. In this case, a successful attacker's permissions
on the SQL Server will be restricted.

Risk Rating:
============
Important

Patch Availability:
===================
 - A patch is available to fix this vulnerability. Please read the
   Security Bulletins at

   http://www.microsoft.com/technet/security/bulletin/ms03-016.asp
   http://www.microsoft.com/security/security_bulletins/ms03-016.asp

   for information on obtaining this patch.

Acknowledgment:
===============
 - Microsoft thanks Cesar Cerrudo for reporting this issue to us
and working with us to protect customers

- --------------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS
BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT
ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

*******************************************************************


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBPraij+kli63F4U8VAQH+lgQAopXOkMGvY7NOreOlZUUqMoPF2Ctle9pk
1LpDfInlhU4KD85J0biOWHKaeAXbAki8284+KwdhltX7J9VQRtqca502GNRGZvUo
zkYjx7T8zAaVGTkt0OcOdshbAu8WtEGDYukcIV2MnYmOWKeXd2NlgCF1uMtSedG+
sd0gIsldSHE=
=U9Dk
-----END PGP SIGNATURE-----


----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L