MS-ISAC ADVISORY NUMBER:
2006-014 Updated

DATE(S) ISSUED:
08/08/2006
08/10/2006 - Updated
09/13/2006 - Updated
11/14/2006 - Updated
11/17/2006 - Updated

SUBJECT:
New Vulnerability in Microsoft Server Service Could Allow Remote Code Execution

ORIGINAL OVERVIEW:

A new vulnerability has been discovered in the Microsoft Server Service that could allow a remote attacker to take complete control of the vulnerable system. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. A vulnerable computer could be exploited if a malicious user sends a specially-crafted NetBIOS message over the Internet or an internal network.

This vulnerability has the potential to be used in new worms or worm variants so should be addressed as soon as possible.

AUGUST 10 UPDATED INFORMATION:
The U.S. Department of Homeland Security issued a press release warning of risks referenced in Microsoft Bulletin MS06-040. Microsoft is treating MS06-040 internally as a Level 3 bulletin - to put this in context, the only other Level 3 bulletins issued by Microsoft in the past were related to the Sasser worm and the WMF vulnerability.

SEPTEMBER 13 UPDATED INFORMATION:
Microsoft has released information stating that Windows 2003 Server SP1 and Windows XP Professional x64 systems running applications that request large amounts of contiguous memory may fail after installing the previous version of MS06-040.

NOVEMBER 14 UPDATED INFORMATION:
A new vulnerability has been discovered in the Microsoft Workstation service that could allow a remote attacker to take complete control of the vulnerable system. The Workstation service processes local and remote requests for resources (such as disks and printers). A vulnerable computer could be exploited if a malicious user sends a specially-crafted NetBIOS message over the Internet or an internal network.

NOVEMBER 17 UPDATED INFORMATION:
Public code is currently available to exploit the Windows 2000 workstation service. This exploit code attacks the machine in the form of a worm and takes full advantage of the flaws that were identified in the November 14th update in this advisory.

SYSTEMS AFFECTED:

  • Microsoft Windows 2000
  • Microsoft Windows XP Service Packs 1 and 2
  • Microsoft Windows 2003 Server Service Pack 1

RISK:
Government:

  • Large and medium government entities: High
  • Small government entities: High

Businesses:

  • Large and medium business entities: High
  • Small business entities: High

Home users: High

DESCRIPTION:
A new vulnerability has been discovered in Microsoft Server Service. The Server service allows the sharing of your local resources (such as disks and printers) so that other users on the network can access them. It also allows named pipe communication between applications running on other computers and your computer, which is used for Remote Procedure Calls (RPC).

Any anonymous user could deliver a specially-crafted message to a vulnerable system. If successfully exploited, the attacker could take complete control of the system or cause a denial of service condition. At the time of this advisory, Microsoft, US-CERT, and other organizations have confirmed the existence of working exploit code and reports of active system compromises due to this vulnerability.

AUGUST 10 UPDATED DESCRIPTION:
The U.S. Department of Homeland Security issued a press release warning that the vulnerability, if exploited, could enable an attacker to remotely take control of an affected system and install programs, view, change, or delete data, and create new accounts with full user rights. Users are encouraged to patch their PC's as quickly as possible to prevent any such attack from occurring.

Metasploit has released a plug-in for this vulnerability. Although this plug-in is only a Denial of Service attack, we expect that a functional Remote Code Execution exploit will soon be available.

Since the release of MS06-040 patches, AT&T Internet Protect has observed increased traffic on port 139. Several malware programs are known to spread by exploiting the Microsoft LSASS/COM vulnerabilities via port 139/tcp or in combination with other ports along with 139/tcp. AT&T Internet protect is stating the amount of traffic on port 139 is increasing over time and this may be an indication of a new worm spreading over the Internet. They also report that the traffic is currently coming from Asia-Pacific region and directed toward the European region.

SEPTEMBER 13 UPDATED DESCRIPTION:
Microsoft has updated the advisory stating that if the MS06-040 patch, released on August 12, has been installed, then the host machine may be susceptible to failure. This failure will occur if the host is running applications that require large amounts of contiguous memory. The likelihood of this type of application running on a Windows 2003 Server machine is high. It is recommended that the latest version of MS06-040 be re-applied if the initial patch was installed on a Windows 2003 Server SP1 or Windows XP Professional x64 system.

NOVEMBER 14 UPDATED DESCRIPTION:
Microsoft has released security bulletin MS06-070 due to a buffer overflow vulnerability in the Microsoft Workstation service that affects Windows 2000 SP4 and Windows XP SP2. Windows 2003 Server is not affected. A remote attacker can execute code on a vulnerable system by sending it a specially-crafted message. No user interaction is required for successful exploitation to occur. This vulnerability has the potential to be used in new worms or worm variants so should be addressed as soon as possible.

NOVEMBER 17 UPDATED DESCRIPTION:
Security firms are reporting that a worm exploiting the buffer overflow in Microsoft Workstation service described in Microsoft Security Bulletin MS06-070 is spreading in the wild. Working exploit code was made available to the public by a group of hackers called Milw0rm. We expect that new variants of existing worms will take advantage of this flaw to penetrate vulnerable systems.

RECOMMENDATIONS:
We recommend the following actions be taken:

NOVEMBER 14 UPDATED RECOMMENDATIONS:
We recommend the following actions be taken:

NOVEMBER 17 UPDATED RECOMMENDATIONS:
We recommend the following actions be taken:


REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS06-040.mspx(New Window)

SecurityFocus:
http://www.securityfocus.com/bid/19409/(New Window)

US-CERT:
http://www.kb.cert.org/vuls/id/650769(New Window)

CVE:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3439(New Window)

AUGUST 10 UPDATED REFERENCES:

Department of Homeland Security:
http://www.dhs.gov/dhspublic/display?content=5789(New Window)

eWeek:
http://www.eweek.com/article2/0,1895,2001412,00.asp(New Window)

TechNet:
http://blogs.technet.com/msrc/archive/2006/08/10/445769.aspx(New Window)

MetaSploit:
http://www.metasploit.com(New Window)

NOVEMBER 14 UPDATED REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/Bulletin/MS06-070.mspx(New Window)

NOVEMBER 17 UPDATED REFERENCES:

Network World:
http://www.networkworld.com/news/2006/111606-attack-code-posted-for-latest.html(New Window)

SecurityFocus:
http://www.securityfocus.com/bid/20985/info(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.