[SECURITY-L] CAIS-Alerta: Vulnerabilidade no Windows Media Services (832359)
CSIRT - UNICAMP
security em unicamp.br
Qua Mar 10 10:08:05 -03 2004
----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----
From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade no Windows Media Services (832359)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Tue, 9 Mar 2004 17:13:24 -0300 (BRST)
-----BEGIN PGP SIGNED MESSAGE-----
Prezados,
O CAIS esta' repassando o alerta divulgado pela Microsoft, "Microsoft
Security Bulletin MS04-008: Vulnerability in Windows Media Services Could
Allow a Denial of Service (832359)", que trata de uma vulnerabilidade
presente no Windows Media Services e que se explorada pode resultar na
indisponibilidade do servico.
O Windows Media Services nao e' instalado automaticamente no sistema.
Somente sistemas que necessitaram da instalacao estao sujeitos a
vulnerabilidade descrita.
Sistemas Afetados:
. Microsoft Windows 2000 Server Service Pack 2
. Microsoft Windows 2000 Server Service Pack 3
. Microsoft Windows 2000 Server Service Pack 4
Sistemas nao Afetados:
. Microsoft Windows NT® Workstation 4.0 Service Pack 6a
. Microsoft Windows NT Server 4.0 Service Pack 6a
. Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
. Microsoft Windows 2000 Professional Service Pack 2
. Microsoft Windows 2000 Professional Service Pack 3
. Microsoft 2000 Professional Service Pack 4
. Microsoft Windows XP
. Microsoft Windows XP Service Pack 1
. Microsoft Windows XP 64-Bit Edition Service Pack 1
. Microsoft Windows XP 64-Bit Edition Version 2003
. Microsoft Windows Server 2003
. Microsoft Windows Server 2003 64-Bit Edition
Componentes Afetados:
. Windows Media Services 4.1, parte integrante do Microsoft
Windows 2000 Server
Componentes nao Afetados:
. Windows Media Services 9.0 Series, parte integrante do Microsoft
Windows Server 2003
. Windows Media Services 4.1, disponivel para download para o
Windows NT4 Server
Correcoes disponiveis:
A correcao consiste na aplicacao dos correspondentes patches recomendados
pela Microsoft e disponiveis em:
. Microsoft Windows 2000 Server Service Pack 2
. Microsoft Windows 2000 Server Service Pack 3
. Microsoft Windows 2000 Server Service Pack 4
http://www.microsoft.com/downloads/details.aspx?FamilyId=7F4C067C-5D34-48FB-A9FA-C2200243D4D2&displaylang=en
Maiores informacoes:
. Microsoft Security Bulletin MS04-008
http://www.microsoft.com/technet/security/bulletin/ms04-008.asp
Identificadores do CVE (http://cve.mitre.org): CAN-2003-0905
O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.
Atenciosamente,
################################################################
# CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) #
# Rede Nacional de Ensino e Pesquisa (RNP) #
# #
# cais em cais.rnp.br http://www.cais.rnp.br #
# Tel. 019-37873300 Fax. 019-37873301 #
# Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key #
################################################################
Microsoft Security Bulletin MS04-008
Vulnerability in Windows Media Services Could Allow a Denial of Service
(832359)
Issued: March 9, 2004
Version: 1.0
Summary
Who Should Read This Document:
Customers who are using Microsoft® Windows® 2000
Impact of Vulnerability:
Denial of Service
Maximum Severity Rating:
Moderate
Recommendation:
Systems administrators should consider applying the security update to
systems that are running Windows 2000 Server and that have Windows Media
Services 4.1 installed.
Security Update Replacement:
None
Caveats:
None
Tested Software and Security Update Download Locations:
Affected Software
Microsoft Windows 2000 Server Service Pack 2, Microsoft Windows 2000
Server Service Pack 3, Microsoft Windows 2000 Server Service Pack 4
- -Download the update
Non Affected Software
Microsoft Windows NT® Workstation 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows 2000 Professional Service Pack 2, Microsoft Windows 2000
Professional Service Pack 3, Microsoft 2000 Professional Service Pack 4
Microsoft Windows XP, Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows Server 2003
Microsoft Windows Server 2003 64-Bit Edition
Tested Microsoft Windows Components:
Affected Components:
Windows Media Services 4.1 (included with Microsoft Windows 2000 Server)
Non Affected Components:
Windows Media Services 9.0 Series (included with Microsoft Windows Server
2003)
Windows Media Services 4.1 (available for download for Windows NT4 Server)
The software listed above has been tested to determine if the versions are
affected. Other versions either no longer include security patch support
or may not be affected. Please review the Microsoft Support Lifecycle Web
site to determine the support lifecycle for your product and version.
Top of section
General Information
Technical Details
Technical description:
A vulnerability exists because of the way that Windows Media Station
Service and Windows Media Monitor Service, components of Windows Media
Services, handle TCP/IP connections. If a remote user were to send a
specially-crafted sequence of TCP/IP packets to the listening port of
either of these services, the service could stop responding to requests
and no additional connections could be made. The service must be restarted
to regain its functionality.
Windows Media Services is made up of Windows Media Services Administrator
and four Windows Media Services components running on a single computer:
By using Windows Media Unicast Service, Windows Media content can be
streamed over unicast, using either TCP or UDP as a transport, to
Microsoft Windows Media Player or to another Windows Media server.
Windows Media Station Service performs three key functions:
It arranges one or more streams of content (also known as a "playlist" or
"program") for subsequent streaming.
It multicasts the playlist or program to Windows Media Player or to
another Windows Media server.
It distributes the playlist or program locally to Windows Media Unicast
Service for subsequent unicasting to Windows Media Player or to another
Windows Media server.
Windows Media Program Service is a dependent service of Windows Media
Station Service. Windows Media Program Service helps the server
administrator build playlists of Windows Media content using Windows Media
Services Administrator and persist those playlists for future use.
Windows Media Monitor Service is the administrative console of Windows
Media Services.
Note Windows Media Unicast Service may also be affected by a successful
attack against Windows Media Station Service if Windows Media Unicast
Service is sourcing a playlist from Windows Media Station Service. In this
case, Windows Media Unicast Service could stop functioning when it
encounters the next item in the playlist. An administrator can stream
media by using Windows Media Unicast Service without a playlist.
Mitigating factors:
The Windows Media Services component is not installed by default.
Windows Media Services can be configured to offer streaming media over
unicast only and would then not be affected by this vulnerability. This
configuration would mean that different media streams from the same server
could not be added into a playlist.
Microsoft recommends that customers enable Windows Media Unicast Service
only on Internet-facing sockets and ports and not the other components of
Windows Media Services. If this practice is followed, the attack surface
would not be exposed to the Internet.
Customers who administer their Windows Media Services servers directly
from the console or through a Terminal Services session are not affected
by any successful Denial of Service attempts against Windows Media Monitor
Service. Windows Media Monitor Service would not be accessible remotely,
only locally.
If you have disabled Windows Media Station Service and Windows Media
Monitor Service, you are not affected by this vulnerability.
Severity Rating:
Microsoft Windows 2000 Server
Moderate
The above assessment is based on the types of systems that are affected by
the vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0905
Top of section
Workarounds
Microsoft has tested the following workarounds. These workarounds will not
correct the underlying vulnerability. However, they help block known
attack vectors. Workarounds may reduce functionality in some cases; in
such cases, the reduction in functionality is identified below.
Block ports 7007 and 7778 at your firewall.
If you do not stream media over TCP to the Internet, you can block TCP
port 7007. Also, block port 7778, which is used to administer Windows
Media Services through Windows Media Monitor Service. Windows Media
Services uses these ports. By blocking these ports at the firewall, you
can help prevent systems that are behind the firewall from being attacked
by attempts to exploit this vulnerability.
Impact of Workaround: If you block port 7007, you will prevent multicast
streams and the enabling of playlists from functioning across the
firewall. If you block port 7778, you will prevent administrative
functions from functioning across the firewall.
Administer your Windows Media Services from the console or through a
Terminal Services session.
Administer your Windows Media Services servers directly from the console
or through a Terminal Services session. If you do this, you will not be
affected by any successful denial of service attempts against Windows
Media Monitor Service. The reason for this is that the service can still
be accessed and used from the desktop of the system that is hosting
Windows Media Services even after a successful denial of service attack
has been taken place.
Impact of Workaround: None.
Stop, disable, or remove Windows Media Station Service.
Stop, disable, or remove Windows Media Station Service.
Impact of Workaround: Stopping, disabling, or removing Windows Media
Station Service will cause multicast streams or the enabling of playlists
to not function.
Disable or remove Windows Media Monitor Service.
Disable or remove Windows Media Monitor Service.
Impact of Workaround: Disabling or removing Windows Media Monitor Service
will prevent the possibility of administering Windows Media Services.
Top of section
Security Update Information
Installation Platforms and Prerequisites:
For information about the specific security update for your platform,
click the appropriate link:
Windows 2000 Server (all versions)
Prerequisites
For Windows 2000 Server, this security update requires Service Pack 2
(SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).
The software listed above has been tested to determine if the versions are
affected. Other versions either no longer include security patch support
or may not be affected. Please review the Microsoft Support Lifecycle Web
site to determine the support lifecycle for your product and version.
For additional information, click the following article number to view the
article in the Microsoft Knowledge Base: 260910 How to Obtain the Latest
Windows 2000 Service Pack
Inclusion in Future Service Packs:
The fix for this issue will be included in Windows 2000 Service Pack 5.
Installation Information
This security update supports the following Setup switches:
/help Displays the command line options
Setup Modes
/quiet Use Quiet mode (no user interaction or display)
/passive Unattended mode (progress bar only)
/uninstall Uninstalls the package
Restart Options
/norestart Do not restart when installation is complete
/forcerestart Restart after installation
Special Options
/l Lists installed Windows hotfixes or update packages
/o Overwrite OEM files without prompting
/n Do not backup files needed for uninstall
/f Force other programs to close when the computer shuts
down
Note: You can combine these switches into one command. For backwards
compatibility, the security update also supports the Setup switches that
are used by the previous version of the setup utility. For additional
information about the supported installation switches, please review
Knowledge Base Article 262841.
Deployment Information
To install the security update without any user intervention, use the
following command at a command prompt for Windows 2000 Service Pack 2,
Windows 2000 Service Pack 3, or Windows 2000 Service Pack 4:
WindowsMedia41-KB832359-ENU /passive /quiet
To install the security update without forcing the computer to restart,
use the following command at a command prompt for Windows 2000 Service
Pack 2, Windows 2000 Service Pack 3, or Windows 2000 Service Pack 4:
WindowsMedia41-KB832359-ENU /norestart
For information about how to deploy this security update with Software
Update Services, visit the Software Update Services Web site.
Restart Requirement
In some cases, this update does not require a reboot. The installer stops
the required services, applies the update, and then restarts the services.
However, if the required services cannot be stopped for any reason, or if
required files are in use, this update will require a reboot. If this
occurs, a message appears that advises you to reboot.
Removal Information
To remove this security update, use the Add/Remove Programs tool in
Control Panel.
System administrators can use the Spuninst.exe utility to remove this
security update. The Spuninst.exe utility is located in the
%Windir%\$NTUninstallKB832359$\Spuninst folder. The Spuninst.exe utility
supports the following Setup switches:
/?: Show the list of installation switches.
/u: Use unattended mode.
/f: Force other programs to quit when the computer shuts down.
/z: Do not restart when the installation is complete.
/q: Use Quiet mode (no user interaction).
File Information
The English version of this fix has the file attributes (or later) that
are listed in the following table. The dates and times for these files are
listed in coordinated universal time (UTC). When you view the file
information, it is converted to local time. To find the difference between
UTC and local time, use the Time Zone tab in the Date and Time tool in
Control Panel.
Windows 2000 Service Pack 2, Windows 2000 Service Pack 3, Windows 2000
Service Pack 4
Date Time Version Size File name
------------------------------------------------------
15-Jan-2004 02:51 4.1.0.3934 222,384 Nscm.exe
15-Jan-2004 02:48 4.1.0.3934 31,808 Nspmon.exe
Verifying Update Installation
To verify that a security update is installed on an affected system you
may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool.
The Microsoft Baseline Security Analyzer (MBSA) allows administrators to
scan local and remote systems for missing security updates as well as
common security misconfigurations. For additional information about MBSA,
please visit the Microsoft Baseline Security Analyzer Web site.
You may also be able to verify the files that this security update
installed by reviewing the following registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Media
Services\KB832359\FileList
Note This registry key may not be not created properly when an
administrator or an OEM integrates or slipstreams the 832359 security
update into the Windows installation source files.
Top of section
Top of section
Acknowledgments
Microsoft thanks the following for working with us to help protect
customers:
Qualys for reporting the issue.
Obtaining other security updates:
Updates for other security issues are available from the following
locations:
Security updates are available from the Microsoft Download Center, and can
be most easily found by doing a keyword search for "security_patch".
Updates for consumer platforms are available from the Windows Update Web
site.
Support:
Technical support is available from Microsoft Product Support Services at
1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge
for support calls that are associated with security updates.
International customers can get support from their local Microsoft
subsidiaries. There is no charge for support associated with security
updates. Information on how to contact Microsoft support is available at
the International Support Web site.
Security Resources:
The Microsoft TechNet Security Web site provides additional information
about security in Microsoft products.
Microsoft Software Update Services
Microsoft Baseline Security Analyzer (MBSA)
Windows Update
Windows Update Catalog: Please view Knowledge Base Article 323166 for more
information on the Windows Update Catalog.
Office Update
Software Update Services:
Microsoft Software Update Services (SUS) enables administrators to quickly
and reliably deploy the latest critical updates and security updates to
Windows® 2000 and Windows Server™ 2003-based servers, as well as to
desktop computers running Windows 2000 Professional or Windows XP
Professional.
For information about how to deploy this security update with Software
Update Services, visit the Software Update Services Web site.
Systems Management Server:
Systems Management Server can provide assistance deploying this security
update. For information about Systems Management Server visit the SMS Web
site. For detailed information about the many enhancements to the security
update deployment process that SMS 2003 provides, please visit the SMS
2003 Security Patch Management Web site. For users of SMS 2.0, it also
provides several additional tools to assist administrators in the
deployment of security updates such as the SMS 2.0 Software Update
Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS
2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline
Security Analyzer and the Microsoft Office Detection Tool to provide broad
support for security bulletin remediation. Some software updates may
require administrative rights following a restart of the computer
Note: The inventory capabilities of the SMS 2.0 Software Update Services
Feature Pack may be used for targeting updates to specific computers, and
the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool
can be used for installation. This provides optimal deployment for updates
that require explicit targeting using Systems Management Server and
administrative rights after the computer has been restarted.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as
is" without warranty of any kind. Microsoft disclaims all warranties,
either express or implied, including the warranties of merchantability and
fitness for a particular purpose. In no event shall Microsoft Corporation
or its suppliers be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages, even if Microsoft Corporation or its suppliers have been advised
of the possibility of such damages. Some states do not allow the exclusion
or limitation of liability for consequential or incidental damages so the
foregoing limitation may not apply.
Revisions:
V1.0 (March 9, 2004): Bulletin published
-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8
iQCVAwUBQE4lbukli63F4U8VAQH+QgP7BHI/WtTuFl0q3n/zSE9/u4f0N9YeISeN
SYg2VI4LnMuCD6BuTRenP73ZcdaP6ekEc/NJQdBclcRUub2yXBSbX47PljuXktfz
DMDg13hiqonfwb2/zSsf+XWfeFpwsN+AMv4QkMLFAw6obCuZGMkoGXaDUaDfErcc
4T3juT1JPFA=
=owPn
-----END PGP SIGNATURE-----
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L