CERTVU:567620Microsoft Windows Workstation service vulnerable to buffer overflow when sent specially crafted network message
0.969 High
EPSS
Percentile
99.7%
Overview
A remotely exploitable vulnerability affects Microsoft Windows Systems. Exploitation of this vulnerability could permit the execution of arbitrary code on the system with elevated privileges. The exploit vector for this vulnerability is highly conducive to a worm or other automated exploit.
Description
A buffer overflow vulnerability exists in the Microsoft Workstation service. A remote attacker that can send a specially-crafted network message to the vulnerable system could exploit this vulnerability to execute arbitrary code with system privileges.
According to the Microsoft Bulletin, MS03-049, the following systems are affected:
* Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
* Microsoft Windows XP, Microsoft Windows XP Service Pack 1
* Microsoft Windows XP 64-Bit Edition
According to the Microsoft Bulletin, MS03-049, the following systems are NOT affected:
* Microsoft Windows NT Workstation 4.0, Service Pack 6a
* Microsoft Windows NT Server 4.0, Service Pack 6a
* Microsoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
* Microsoft Windows Millennium Edition
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows Server 2003
* Microsoft Windows Server 2003 64-Bit Edition
Note that a proof of concept exploit has been posted publicly.
Impact
Exploitation of this vulnerability could permit the execution of arbitrary code on the system with elevated privileges. The exploit vector for this vulnerability is highly conducive to a worm or other automated exploit.
Solution
Apply the appropriate update for your system:
* Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 - [_Download the update_](<http://www.microsoft.com/downloads/details.aspx?FamilyId=2467FE46-D167-479C-9638-D4D79483F261&displaylang=en>)
* Microsoft Windows XP, Microsoft Windows XP Service Pack 1- [_Download the update_](<http://www.microsoft.com/downloads/details.aspx?FamilyId=F02DA309-4B0A-4438-A0B9-5B67414C3833&displaylang=en>)
* Microsoft Windows XP 64-Bit Edition - [_Download the update_](<http://www.microsoft.com/downloads/details.aspx?FamilyId=2BE95254-4C65-4CA5-80A5-55FDF5AA2296&displaylang=en>)
As a note in the Microsoft Advisory:
**Note:**The Windows XP security updates that released on October 15th as part of Security Bulletin MS03-043 (828035) include the updated file that helps protect from this vulnerability. If you have applied the Windows XP security updates for MS03-043 (828035) you do not have to reapply this update. However, the Windows 2000 security update that is released as part of this security bulletin contains updated files that were not part of the MS03-043 (828035) security bulletin. Customers have to apply this Windows 2000 security update even if they applied the Windows 2000 security updates for MS03-043 (828035).
Note the following mitigation strategies from Microsoft’s Advisory:
* If users have blocked inbound UDP ports 138, 139, 445 and TCP ports 138, 139, 445** **by using a firewall an attacker would be prevented from sending messages to the Workstation service. Most firewalls, including Internet Connection Firewall in Windows XP, block these ports by default.
* Disabling the Workstation service will prevent the possibility of attack. However there are a number of impacts when performing this workaround. Please see the Workaround section for more details.
* Only Windows 2000 and Window XP are affected. Other operating systems are not vulnerable to this attack.
Vendor Information
567620
Filter by status: All Affected Not Affected Unknown
Filter by content: __ Additional information available
__ Sort by: Status Alphabetical
Expand all
Javascript is disabled. Click here to view vendors.
Microsoft Corporation __ Affected
Updated: November 11, 2003
Status
Affected
Vendor Statement
We have not received a statement from the vendor.
Vendor Information
The vendor has not provided us with any further information regarding this vulnerability.
Addendum
Please see <http://www.microsoft.com/technet/security/bulletin/MS03-049.asp>.
If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23567620 Feedback>).
CVSS Metrics
| Group | Score | Vector |
|---|---|---|
| Base | ||
| Temporal | ||
| Environmental |
References
- <http://www.microsoft.com/technet/security/bulletin/MS03-049.asp>
- <http://www.eeye.com/html/Research/Advisories/AD20031111.html>
Acknowledgements
This issue was reported by eEye Digital Security and published in the monthly Microsoft Security Bulletin.
This document was written by Jason A Rafail.
Other Information
| CVE IDs: | CVE-2003-0812 |
|---|---|
| CERT Advisory: | CA-2003-28 Severity Metric: |
Related
