Microsoft Windows Active Directory fails to handle long LDAP requests

Overview

A flaw has been discovered in the way that Microsoft’s Active Directory service handles large LDAP requests. This flaw could result in a denial-of-service vulnerability.

Description

The directory services provided by Microsoft’s Active Directory are based on the Lightweight Directory Access Protocol (LDAP). Active Directory objects can be stored and retrieved using standard LDAPv3 requests. Core Security Technologies has discovered a flaw in the way the Active Directory service handles long LDAP requests.

This flaw occurs when an LDAP search request with more than 700 logical qualifiers (e.g., “AND” or “OR”) is sent to the server. Exploitation of the flaw reportedly results in a stack overflow and subsequent crash of the Local Security Authority Sub-System (Lsass.exe) service. The death of the Lsass.exe process forces a shutdown of the Windows host system, resulting in a denial of service for the affected server.

---

Impact

Remote attackers may be able to crash the Active Directory server. This can result in a serious denial-of-service condition since the Active Directory service necessarily resides on Windows domain controllers. Unavailability of the domain controllers may affect normal operations within the domain.

---

Solution

Microsoft has included a patch for this issue in Windows 2000 Service Pack 4. For additional information, users are encouraged to review the following Microsoft Knowledge Base Articles:

319709 - An Access Violation Occurs in Lsass Because of a Stack Overflow
260910 - How to Obtain the Latest Windows 2000 Service Pack

---

Workarounds

Block or restrict access to the Active Directory service (port 389/tcp) from untrusted networks such as the Internet. As a general rule, the CERT/CC recommends that sites block all types of network traffic from sources that are not explicitly required for normal operation.

---

Vendor Information

594108

Filter by status: All Affected Not Affected Unknown

Filter by content: __ Additional information available

__ Sort by: Status Alphabetical

Expand all

Javascript is disabled. Click here to view vendors.

Microsoft Corporation __ Affected

Notified: July 14, 2003 Updated: July 17, 2003

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Microsoft has included a patch for this issue in Windows 2000 Service Pack 4. For additional information, users are encouraged to review the following Microsoft Knowledge Base Articles:

319709 - An Access Violation Occurs in Lsass Because of a Stack Overflow
260910 - How to Obtain the Latest Windows 2000 Service Pack

If you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:[email protected]?Subject=VU%23594108 Feedback>).

CVSS Metrics

Group	Score	Vector
Base
Temporal
Environmental

References

• http://www.coresecurity.com/common/showdoc.php?idx=351&idxseccion=10
• <http://support.microsoft.com/default.aspx?kbid=319709&gt;
• <http://www.securityfocus.com/bid/7930&gt;
• <http://www.secunia.com/advisories/9171/&gt;

Acknowledgements

Thanks to Core Security Technologies for discovering, researching, and reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

CVE IDs:	CVE-2003-0507
Severity Metric:	13.10 Date Public: