[SECURITY-L] CAIS-Alerta: Vulnerabilidades nos filtros H.323 do Microsoft ISA Server 2000 (816458)

Security Team - UNICAMP security em unicamp.br
Qua Jan 14 10:12:48 -02 2004 

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidades nos filtros H.323 do Microsoft ISA
 Server 2000 (816458)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Tue, 13 Jan 2004 18:11:14 -0200 (BRDT)

-----BEGIN PGP SIGNED MESSAGE-----


Prezados,

O CAIS esta' repassando o alerta divulgado pela Microsoft, "Microsoft
Security Bulletin MS04-001: Vulnerability in Microsoft Internet Security
and Acceleration Server 2000 H.323 Filter Could Allow Remote Code
Execution (816458)", que trata da identificacao de uma vulnerabilidade nos
filtros H.323 do Microsoft ISA Server 2000 que pode ser explorada
remotamente permitindo a um atacante a execucao de codigo arbitrario.

Os filtros H.323 sao filtros de aplicacao que o ISA Server 2000 utiliza
para monitorar e controlar o trafego de pacotes usando o protocolo H.323.
Este protocolo e' utilizado em telefonia sobre IP para transferir
comunicacoes de audio e video.

A vulnerabilidade afeta o Microsoft Firewall Service, parte do ISA Server
2000. O atacante que explora esta vulnerabilidade pode executar codigo
malicioso no contexto do Firewall Service, o que poderia permitir o
controle total do sistema.


Sistemas Afetados:

	. Microsoft Internet Security and Acceleration Server 2000
	. Microsoft Small Business Server 2000
	. Microsoft Small Business Server 2003


Sistemas nao Afetados:

	. Microsoft Proxy Server 2.0


Correcoes disponiveis:

A correção consiste na aplicação do patch recomendado pela Microsoft e
disponível em:

. Microsoft Internet Security and Acceleration Server 2000
http://www.microsoft.com/downloads/details.aspx?FamilyId=CBE42990-4156-4E1D-9ACB-4CD449D9599B&displaylang=en

. Microsoft Small Business Server 2000
http://www.microsoft.com/downloads/details.aspx?FamilyId=CBE42990-4156-4E1D-9ACB-4CD449D9599B&displaylang=en

. Microsoft Small Business Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=CBE42990-4156-4E1D-9ACB-4CD449D9599B&displaylang=en


Maiores informacoes:

http://www.microsoft.com/technet/security/bulletin/MS04-001.asp


Identificadores do CVE: CAN-2003-0819, (http://cve.mitre.org)


O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.


Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS)     #
#       Rede Nacional de Ensino e Pesquisa (RNP)               #
#                                                              #
# cais em cais.rnp.br       http://www.cais.rnp.br                #
# Tel. 019-37873300      Fax. 019-37873301                     #
# Chave PGP disponivel   http://www.rnp.br/cais/cais-pgp.key   #
################################################################

Microsoft Security Bulletin MS04-001
Vulnerability in Microsoft Internet Security and Acceleration Server 2000
H.323 Filter Could Allow Remote Code Execution (816458)

Issued: January 13, 2004
Version: 1.0
Summary

Impact of vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should install the security update immediately
Update Replacement: None
Caveats: None
Tested Software and Security Update Download Locations:

Affected Software:

    * Microsoft Internet Security and Acceleration Server 2000 - Download
the update
    * Microsoft Small Business Server 2000 (which includes Microsoft
Internet Security and Acceleration Server 2000) ? Download the Update
    * Microsoft Small Business Server 2003 (which includes Microsoft
Internet Security and Acceleration Server 2000) ? Download the Update

Non Affected Software:

    * Microsoft Proxy Server 2.0

The software listed above has been tested to determine if the versions are
affected. Other versions either no longer include security patch support
or may not be affected. Please review the Microsoft Support Lifecycle Web
site to determine the support lifecycle for your product and version.

Technical Details

Technical description:

A security vulnerability exists in the H.323 filter for Microsoft Internet
Security and Acceleration Server 2000 that could allow an attacker to
overflow a buffer in the Microsoft Firewall Service in Microsoft Internet
Security and Acceleration Server 2000. An attacker who successfully
exploited this vulnerability could try to run code of their choice in the
security context of the Microsoft Firewall Service. This would give the
attacker complete control over the system. The H.323 filter is enabled by
default on servers running ISA Server 2000 computers that are installed in
integrated or firewall mode.

Mitigating factors:

    * ISA Servers running in cache mode are not vulnerable because the
Microsoft Firewall Service is disabled by default
    * Users can prevent the risk of attack by disabling the H.323 filter

Severity Rating:
Microsoft Internet Security and Acceleration Server 2000 Critical

The above assessment is based on the types of systems that are affected by
the vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0819

Workarounds

Microsoft has tested the following workarounds. These workarounds will not
correct the underlying vulnerability however they help block known attack
vectors. Workarounds may cause a reduction in functionality in some cases
? in such situations this is identified below.

   1. Disable the H.323 filter.
      To disable the H.323 filter, follow these steps:

         1. Open ISA management tool. Expand the Extensions container,
expand the Application Filters container.
         2. Select the H.323 Filter and then click Disable.
         3. Restart the Microsoft Firewall Service Windows Components.

      Impact of workaround:
      If the H.323 filter is disabled, H.323 traffic is blocked by the
Microsoft Firewall Service. This stops any applications that use the H.323
protocol for Internet Protocol (IP) telephony or data collaboration from
communicating through the ISA Sever. If H.323 traffic is not on the
network with the ISA Server, disabling this filter and other unused
filters is recommended for enhanced security and performance.
   2. Block TCP port 1720 at a perimeter or gateway router.
      By default the H.323 filter listens on external Transmission Control
Protocol (TCP) port 1720. Blocking this port at a perimeter router will
help to protect the ISA Server from an Internet-based attack.

      Note: Clicking to clear the Allow Incoming Calls check box on the
Call Control tab of the H.323 filter settings does not configure the
filter to stop listening on the external TCP port 1720 and is not an
effective workaround. This behavior has been changed in this Security
Update and is documented additionally in the ?Frequently Asked Questions?
section of this security bulletin.

      Impact of workaround:
      If port 1720 traffic is blocked, applications that use the H.323
protocol for IP telephony or data collaboration can no longer be able to
communicate over the Internet.

Frequently Asked Questions

What is the scope of the vulnerability?
This is a buffer overflow vulnerability. An attacker who successfully
exploited this vulnerability could cause code to run in the security
context of the Microsoft Firewall Service on ISA Server 2000. An attacker
who successfully exploited this vulnerability could also gain complete
control over the system.

What causes the vulnerability?
This vulnerability results because of the way that the H.323 filter checks
the boundaries on specially crafted H.323 traffic.

What is the H.323 Filter?
The H.323 filter is an application filter that ISA Server 2000 uses to
monitor and control traffic using H.323 and T.120 protocols. The H.323
protocol is used in IP telephony applications to transfer audio and video
communications. The T.120 protocol is used in IP telephony applications to
transfer data such as whiteboard, file transfer, or remote desktop data.
The H.323 filter is enabled by default on ISA Server 2000.

What is the Microsoft Firewall Service?
ISA Server?s Microsoft Firewall Service allows Internet applications to
perform as if they were directly connected to the Internet. These services
redirect the necessary communications functions to an ISA Server,
establishing a communication path from the internal application to the
Internet through the server computer.

The service eliminates the need for a specific gateway for each protocol,
such as Simple Mail Transfer Protocol (SMTP), Telnet, File Transfer
Protocol (FTP), or H.323 protocol.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause code
to run in the security context of the Microsoft Firewall Service on ISA
Server 2000. An attacker who successfully exploited this vulnerability
could gain complete control over the system.

Does this update contain any other security changes?
Yes. The update also corrects an issue with the Call Control tab of the
H.323 filter setting. Before this update if you clicked to clear the Allow
Incoming Calls check box in the Call Control tab of the H.323 filter
settings, the filter would not be configured to stop listening on the
external TCP port 1720. This update corrects this problem. After the
update, clicking to select this option correctly configures the filter to
stop listening on the external TCP port 1720. The Microsoft Firewall
Service must be restarted for this setting to take effect.

If the network that the H.323 filter is helping to protect intends to use
only outgoing H.323 traffic, it is recommended that you disable Allow
Incoming Calls to enhance security.

What does the update do?
The update removes the vulnerability by modifying the way that the H.323
filter validates H.323 traffic.

I have installed the H.323 Gatekeeper Service. Is the H.323 Gatekeeper
Service vulnerable?
No. The H.323 Gatekeeper Service does not contain the vulnerability that
is associated with this update. However, if the H.323 Gatekeeper Service
has been installed on the system, an updated version of gksvc.dll will be
installed with this update. The H.323 Gatekeeper Service is not installed
by default.

If I install the H.323 Gatekeeper Service after I apply this update, do I
need to re-apply the update?
Yes. If setup components are re-installed, all updates should be
re-applied.

Security Update Information

Prerequisites

This security update requires ISA Server Service Pack 1 (SP1).

For additional information about how to obtain the latest ISA Server
service pack, click the following article number to view the article in
the Microsoft Knowledge Base:

313139 How to Obtain the Latest Internet Security and Acceleration Server
Service Pack

Inclusion in future service packs:

The fix for this issue will be included in ISA Server 2000 Service Pack 2.

Installation Information

This security update supports the following Setup switches:
- -? :   Show the list of installation switches.
/q :   Use Quiet mode (no user interaction).
- -UHF :   Remove hotfix number (where is the number of the hotfix).
- -nostart :   Do not start the stopped services

Deployment Information

To install the security update without any user intervention, use the
following command line:

ISA2000-KB816458-x86.exe -q

Restart Requirement

You do not have to restart your computer after you apply this update. The
ISA services are restarted when applying this update.

Removal Information

To remove this update, use the Add or Remove Programs tool in Control
Panel. To do so, click ISA Server 2000 Updates, click Change, click ISA
Hot Fix 291, and then click Remove

File Information

The English version of this fix has the file attributes (or later) that
are listed in the following table. The dates and times for these files are
listed in coordinated universal time (UTC). When you view the file
information, it is converted to local time. To find the difference between
UTC and local time, use the Time Zone tab in the Date and Time tool in
Control Panel.
Date Time Version Size File Name
16-Dec-2003 17:16 3.0.1200.291 140,560 Gksvc.dll X86
16-Dec-2003 17:16 3.0.1200.291 209,168 H323asn1.dll X86
16-Dec-2003 17:16 3.0.1200.291 86,800 H323fltr.dll X86

Note: Gksvc.dll will only be installed if the H.323 Gatekeeper Service is
installed on the ISA Server. If the H.323 Gatekeeper Service is not
installed, gksvc.dll will not be installed and will not exist on the
system. This service is not installed by default.

The English version of this fix can be used for all languages of the
product.

Verifying Update Installation

You may be able to verify the files that this security update installed by
reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Hotfixes\SP1\291

Acknowledgments

Microsoft thanks the following for working with us to help protect
customers:

    * The UK National Infrastructure Security Co-ordination Centre (NISCC)
for reporting the issue described in MS04-001.

Obtaining other security updates:

Updates for other security issues are available from the following
locations:

    * Security updates are available from the Microsoft Download Center,
and can be most easily found by doing a keyword search for
"security_patch".
    * Updates for consumer platforms are available from the WindowsUpdate
Web site.

Support:

    * Technical support is available from Microsoft Product Support
Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is
no charge for support calls that are associated with security updates.
    * International customers can get support from their local Microsoft
subsidiaries. There is no charge for support associated with security
updates. Information on how to contact Microsoft support is available at
the International Support Web Site.

Security Resources:

    * The Microsoft TechNet Security Web Site provides additional
information about security in Microsoft products.
    * Microsoft Software Update Services
    * Microsoft Baseline Security Analyzer (MBSA): Please view Knowledge
Base Article 306460 for list of security updates that have detection
limitations with the MBSA tool.
    * Windows Update
    * Windows Update Catalog: Please view Knowledge Base Article 323166
for more information on the Windows Update Catalog.
    * Office Update

Systems Management Server (SMS):

Systems Management Server can provide assistance deploying this security
update. For information about Systems Management Server visit the SMS Web
Site. SMS also provides several additional tools to assist administrators
in the deployment of security updates such as the SMS 2.0 Software Update
Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS
2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline
Security Analyzer and the Microsoft Office Detection Tool to provide broad
support for security bulletin remediation. Some software updates may
require administrative rights following a restart of the computer

Note: The inventory capabilities of the SMS 2.0 Software Update Services
Feature Pack may be used for targeting updates to specific computers, and
the SMS 2.0 Administration Feature Pack?s Elevated Rights Deployment Tool
can be used for installation. This provides optimal deployment for updates
that require explicit targeting using Systems Management Server and
administrative rights after the computer has been restarted.

Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Microsoft Corporation
or its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if Microsoft Corporation or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.

Revisions:

    * V1.0 (January 13, 2004): Bulletin published


-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQCVAwUBQARQ7+kli63F4U8VAQGW6wP/TPEXGPtL5mIdHyzQ6FiPuE7jHf8oZnPF
d9ixK/OORYztzV11V+AZdZ6+SkVqlJTGsZM3xNtPLABQuICqJP0QNRiyR2bAXFwD
MZgb94+RlU8B7kDrjZg9EQ8gffkpSXz4dXJzRtx/qKYC8BwLFOaHcVmu5cT5cqGO
224TXXTOkJ0=
=xwQ4
-----END PGP SIGNATURE-----


----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L