MS-ISAC ADVISORY NUMBER:
2009-034

DATE(S) ISSUED:
6/9/2009

SUBJECT:
Vulnerabilities in Active Directory

OVERVIEW:

Two vulnerabilities have been discovered in Active Directory. Active Directory is a Microsoft technology that enables authentication and access to resources on a network. These vulnerabilities may be exploited by a specially crafted request targeting a vulnerable server running Active Directory. The most severe vulnerability could allow an attacker to remotely execute arbitrary code. Successful exploitation could result in an attacker gaining complete control of the affected system and could lead to the compromise of any other system that is part of the affected domain. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed exploit attempts may result in a denial-of-service condition.

SYSTEMS AFFECTED:

  • Microsoft Windows 2000 Server Service Pack 4
  • Windows XP Professional Service Pack 2 and Windows XP Professional Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems

RISK:

Government:
Large and medium government entities: High
Small government entities: High

Businesses:
Large and medium business entities: High
Small business entities: High

Home users: N/A

DESCRIPTION:
Two vulnerabilities have been discovered in Active Directory, the most severe of which could allow an attacker to remotely execute arbitrary code. The other vulnerability could result in denial-of-service conditions. Active Directory is a Microsoft technology that enables authentication and access to resources on a network.

The first vulnerability exists in implementations of Active Directory on Microsoft Windows 2000 Server. The vulnerability is due to the incorrect freeing of memory when processing specially crafted Lightweight Directory Access Protocol (LDAP) or LDAPS (LDAP over SSL) requests. Successfully exploiting this issue may allow an attacker to take complete control of the affected system and could lead to the compromise of any other system that is part of the affected domain. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

The second vulnerability exists in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003 and in implementations of Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003. ADAM is an LDAP directory service that runs as a user service, rather than as a system service. The vulnerability is due to improper memory management during execution of certain types of LDAP or LDAPS requests. Successfully exploiting this issue may cause the affected system to stop accepting requests, creating a denial-of-service condition.

In order to exploit either of these vulnerabilities, an attacker must be able to send LDAP or LDAPS request to the affected Active Directory or ADAM Server. In the case of LDAP access on Windows 2000 servers, the attacker may be anonymous. As most organizations will block external LDAP requests, the most likely attack scenario would be an insider attack.

RECOMMENDATIONS:
We recommend the following actions be taken:

  • Apply appropriate patches provided by Microsoft to vulnerable systems immediately after appropriate testing.
  • Ensure TCP ports 389 (LDAP), 636 (LDAPS), 3268 (Microsoft Global Catalog), and 3269 (Microsoft Global Catalog over SSL) are blocked at perimeter firewalls and only grant access to those external systems that have a justified business need to access these ports through the use of IP and port filtering.
  • Disable anonymous LDAP access on Microsoft Windows 2000 servers.

REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS09-018.mspx(New Window)

Security Focus:
http://www.securityfocus.com/bid/35226(New Window)

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1139(New Window)
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1138(New Window)


This cyber advisory was issued by the Multi-State Information Sharing and Analysis Center (MS-ISAC) and was intended for government entities. The information may or may not be applicable to the general public and accordingly, the MS-ISAC does not warrant its use for any specific purposes.