OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Microsoft Product Security (secnotifMICROSOFT.COM)
Date: Thu Aug 16 2001 - 16:03:51 CDT

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    The following is a Security Bulletin from the Microsoft Product Security
    Notification Service.

    Please do not reply to this message, as it was sent from an unattended
    mailbox.
                        ********************************

     
    -----BEGIN PGP SIGNED MESSAGE-----

    - ----------------------------------------------------------------------
    Title: ISA Server H.323 Gatekeeper Service Contains Memory Leak
    Date: 16 August 2001
    Software: ISA Server 2000
    Impact: Denial of service, cross-site scripting
    Bulletin: MS01-045

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/security/bulletin/MS01-045.asp.
    - ----------------------------------------------------------------------

    Issue:
    ======
    This bulletin discusses three security vulnerabilities that are
    unrelated except in the sense that both affect ISA Server 2000:

     - A denial of service vulnerability involving the H.323 Gatekeeper
       Service, a service that supports the transmission of voice-over-IP
       traffic through the firewall. The service contains a memory leak
       that is triggered by a particular type of malformed H.323 data.
       Each time such data is received, the memory available on the
       server is depleted by a small amount; if an attacker repeatedly
       sent such data, the performance of the server could deteriorate to
       the point where it would effectively disrupt all communications
       across the firewall. A server administrator could restore normal
       service by cycling the H.323 service.
     - A denial of service vulnerability in the in the Proxy service.
       Like the vulnerability above, this one is caused by a memory leak,
       and could be used to degrade the performance of the server to
       the point where is disrupted communcations.
     - A cross-site scripting vulnerability affecting the error page
       that ISA Server 2000 generates in response to a failed request
       for a web page. An attacker could exploit the vulnerability by
       tricking a user into submitting to ISA Server 2000 an URL that
       has the following characteristics: (a) it references a valid
       web site; (b)it requests a page within that site that can't be
       retrieved - that is, a non-existent page or one that generates
       an error; and (c) it contains script within the URL. The error
       page generated by ISA Server 2000 would contain the embedded
       script commands, which would execute when the page was displayed
       in the user's browser. The script would run in the security domain
       of the web site referenced in the URL, and would be able to access
       any cookies that site has written to the user's machine.

    Mitigating Factors:
    ====================
    H.323 Denial of service vulnerability:
     - The vulnerability could only be exploited if the H.323 Gatekeeper
       Service was installed. It is only installed by default if "Full
       Installation" is chosen; if "Typical Installation" is selected,
       it is not installed.
     - The vulnerability would not enable an attacker to gain any
       privileges on an affected server or add any traffic to an existing
       voice-over-IP session. It is strictly a denial of service
       vulnerability.

    Proxy Service Denial of service vulnerability:
     - The vulnerability could only be exploited by an internal user; it
       could not be exploited by an Internet user.
     - The vulnerability would not enable an attacker to gain any
       privileges on an affected server or compromise any cached content
       on the server. It is strictly a denial of service vulnerability.

    Cross-site scripting vulnerability:
     - In order to run script in the security domain of a trusted site,
       the attacker would need to know which sites, if any, a user
       trusted. Most users use the default security settings for all web
       sites, which would effectively deny an attacker any gain in
       exploiting the vulnerability for the purposes of running script.
     - An attacker who wished to read other sites' cookies on a user's
       machine would have no way to know which sites had placed cookies
       there. The attacker would need to exploit the vulnerability once
       for every web site whose cookies she wished to access.
     - Even if the attacker correctly guessed which sites had placed
       cookies on a user's machine, there should be no sensitive
       information in the cookies, if best practices have been followed.

    Patch Availability:
    ===================
     - A patch is available to fix this vulnerability. Please read the
       Security Bulletin
       http://www.microsoft.com/technet/security/bulletin/ms01-045.asp
       for information on obtaining this patch.

    Acknowledgment:
    ===============
     - Peter Grundl for reporting the memory leaks in the H.323
       Gatekeeper Service and the Proxy Service.
     - Dr. Hiromitsu Takagi for reporting the cross-site scripting
       vulnerability.

    - ---------------------------------------------------------------------

    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED
    "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL
    WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF
    MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT
    SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
    DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL,
    CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF
    MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
    POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION
    OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO
    THE FOREGOING LIMITATION MAY NOT APPLY.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1

    iQEVAwUBO3w1N40ZSRQxA/UrAQGRTAf/f+CsYKPRvC/a/AlMO6gUVCOP3MA9zvtU
    hKQBFvmNsAho2TFXgk/uYeoQ1ACRJQ3rXLrciaYnyPpdofZUT2dgoehWCEwWCIw4
    Bjw9A0lplVgOQCMFDuMciKISjgaBfNG8wpj9tEwBLRqZ2O0CgF5D6kQgOcrOryg/
    eDc4sQWX6S6oGVPvMgsRCVLu4yOUiO589Vaf63P44h47Z5b4T0TqVOKcB2PDBtjq
    v03Cq+7pApbD9hOD6lUUd9DHF1kWVVcO4HoufdH1rkCyHrG70ZclpHt3qK+jFdJP
    fPPThkAmtQpppwBhXN46Tvk8/N7lhIVScTTGCFuOh0SEIkpQWffNkA==
    =kH78
    -----END PGP SIGNATURE-----

       *******************************************************************
    You have received this e-mail bulletin as a result of your registration
    to the Microsoft Product Security Notification Service. You may
    unsubscribe from this e-mail notification service at any time by sending
    an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUESTANNOUNCE.MICROSOFT.COM
    The subject line and message body are not used in processing the request,
    and can be anything you like.

    To verify the digital signature on this bulletin, please download our PGP
    key at http://www.microsoft.com/technet/security/notify.asp.

    For more information on the Microsoft Security Notification Service
    please visit http://www.microsoft.com/technet/security/notify.asp. For
    security-related information about Microsoft products, please visit the
    Microsoft Security Advisor web site at http://www.microsoft.com/security.

    _____________________________________________________________________
    ** TO UNSUBSCRIBE, send the command "UNSUBSCRIBE win2ksecadvice"
    ** FOR A WEEKLY DIGEST, send the command "SET win2ksecadvice DIGEST"
    SEND ALL COMMANDS TO: listservlistserv.ntsecurity.net