Microsoft Security Bulletin MS04-001
Vulnerability in Microsoft Internet Security and Acceleration Server 2000 H.323 Filter Could Allow Remote Code Execution (816458) Issued: January 13, 2004 Version: 1.0
Summary Who should read this document: Customers who use Microsoft® Internet Security and Acceleration Server 2000
Impact of vulnerability: Remote Code Execution
Maximum Severity Rating: Critical
Recommendation: Customers should install the security update immediately
Update Replacement: None
Tested Software and Security Update Download Locations:
Microsoft Internet Security and Acceleration Server 2000 - Download the update Microsoft Small Business Server 2000 (which includes Microsoft Internet Security and Acceleration Server 2000) – Download the Update Microsoft Small Business Server 2003 (which includes Microsoft Internet Security and Acceleration Server 2000) – Download the Update Non Affected Software:
Microsoft Proxy Server 2.0 The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version.
Technical Details Technical description:
A security vulnerability exists in the H.323 filter for Microsoft Internet Security and Acceleration Server 2000 that could allow an attacker to overflow a buffer in the Microsoft Firewall Service in Microsoft Internet Security and Acceleration Server 2000. An attacker who successfully exploited this vulnerability could try to run code of their choice in the security context of the Microsoft Firewall Service. This would give the attacker complete control over the system. The H.323 filter is enabled by default on servers running ISA Server 2000 computers that are installed in integrated or firewall mode.
ISA Servers running in cache mode are not vulnerable because the Microsoft Firewall Service is disabled by default Users can prevent the risk of attack by disabling the H.323 filter Severity Rating:
Microsoft Internet Security and Acceleration Server 2000 Critical
The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Vulnerability identifier: CAN-2003-0819
Workarounds Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability however they help block known attack vectors. Workarounds may cause a reduction in functionality in some cases – in such situations this is identified below.
Disable the H.323 filter. To disable the H.323 filter, follow these steps:
Open ISA management tool. Expand the Extensions container, expand the Application Filters container. Select the H.323 Filter and then click Disable. Restart the Microsoft Firewall Service Windows Components. Impact of workaround: If the H.323 filter is disabled, H.323 traffic is blocked by the Microsoft Firewall Service. This stops any applications that use the H.323 protocol for Internet Protocol (IP) telephony or data collaboration from communicating through the ISA Sever. If H.323 traffic is not on the network with the ISA Server, disabling this filter and other unused filters is recommended for enhanced security and performance.
Block TCP port 1720 at a perimeter or gateway router. By default the H.323 filter listens on external Transmission Control Protocol (TCP) port 1720. Blocking this port at a perimeter router will help to protect the ISA Server from an Internet-based attack. Note: Clicking to clear the Allow Incoming Calls check box on the Call Control tab of the H.323 filter settings does not configure the filter to stop listening on the external TCP port 1720 and is not an effective workaround. This behavior has been changed in this Security Update and is documented additionally in the “Frequently Asked Questions” section of this security bulletin.
Impact of workaround: If port 1720 traffic is blocked, applications that use the H.323 protocol for IP telephony or data collaboration can no longer be able to communicate over the Internet.
Frequently Asked Questions What is the scope of the vulnerability? This is a buffer overflow vulnerability. An attacker who successfully exploited this vulnerability could cause code to run in the security context of the Microsoft Firewall Service on ISA Server 2000. An attacker who successfully exploited this vulnerability could also gain complete control over the system.
What causes the vulnerability? This vulnerability results because of the way that the H.323 filter checks the boundaries on specially crafted H.323 traffic.
What is the H.323 Filter? The H.323 filter is an application filter that ISA Server 2000 uses to monitor and control traffic using H.323 and T.120 protocols. The H.323 protocol is used in IP telephony applications to transfer audio and video communications. The T.120 protocol is used in IP telephony applications to transfer data such as whiteboard, file transfer, or remote desktop data. The H.323 filter is enabled by default on ISA Server 2000.
What is the Microsoft Firewall Service? ISA Server’s Microsoft Firewall Service allows Internet applications to perform as if they were directly connected to the Internet. These services redirect the necessary communications functions to an ISA Server, establishing a communication path from the internal application to the Internet through the server computer.
The service eliminates the need for a specific gateway for each protocol, such as Simple Mail Transfer Protocol (SMTP), Telnet, File Transfer Protocol (FTP), or H.323 protocol.
What might an attacker use the vulnerability to do? An attacker who successfully exploited this vulnerability could cause code to run in the security context of the Microsoft Firewall Service on ISA Server 2000. An attacker who successfully exploited this vulnerability could gain complete control over the system.
Does this update contain any other security changes? Yes. The update also corrects an issue with the Call Control tab of the H.323 filter setting. Before this update if you clicked to clear the Allow Incoming Calls check box in the Call Control tab of the H.323 filter settings, the filter would not be configured to stop listening on the external TCP port 1720. This update corrects this problem. After the update, clicking to select this option correctly configures the filter to stop listening on the external TCP port 1720. The Microsoft Firewall Service must be restarted for this setting to take effect.
If the network that the H.323 filter is helping to protect intends to use only outgoing H.323 traffic, it is recommended that you disable Allow Incoming Calls to enhance security.
What does the update do? The update removes the vulnerability by modifying the way that the H.323 filter validates H.323 traffic.
I have installed the H.323 Gatekeeper Service. Is the H.323 Gatekeeper Service vulnerable? No. The H.323 Gatekeeper Service does not contain the vulnerability that is associated with this update. However, if the H.323 Gatekeeper Service has been installed on the system, an updated version of gksvc.dll will be installed with this update. The H.323 Gatekeeper Service is not installed by default.
If I install the H.323 Gatekeeper Service after I apply this update, do I need to re-apply the update? Yes. If setup components are re-installed, all updates should be re-applied.
Security Update Information
ISA Server 2000, ISA Server 2000 Feature Pack 1, Small Business Server 2000, Small Business Server 2000 Service Pack 1, Small Business Server 2003 Prerequisites
This security update requires ISA Server Service Pack 1 (SP1).
For additional information about how to obtain the latest ISA Server service pack, click the following article number to view the article in the Microsoft Knowledge Base:
313139 How to Obtain the Latest Internet Security and Acceleration Server Service Pack
Inclusion in future service packs:
The fix for this issue will be included in ISA Server 2000 Service Pack 2.
This security update supports the following Setup switches:
-? : Show the list of installation switches. /q : Use Quiet mode (no user interaction). -UHF : Remove hotfix number (where is the number of the hotfix). -nostart : Do not start the stopped services Deployment Information
To install the security update without any user intervention, use the following command line:
You do not have to restart your computer after you apply this update. The ISA services are restarted when applying this update.
To remove this update, use the Add or Remove Programs tool in Control Panel. To do so, click ISA Server 2000 Updates, click Change, click ISA Hot Fix 291, and then click Remove
The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.
Date Time Version Size File Name
16-Dec-2003 17:16 3.0.1200.291 140,560 Gksvc.dll X86 16-Dec-2003 17:16 3.0.1200.291 209,168 H323asn1.dll X86 16-Dec-2003 17:16 3.0.1200.291 86,800 H323fltr.dll X86
Note: Gksvc.dll will only be installed if the H.323 Gatekeeper Service is installed on the ISA Server. If the H.323 Gatekeeper Service is not installed, gksvc.dll will not be installed and will not exist on the system. This service is not installed by default.
The English version of this fix can be used for all languages of the product.
Verifying Update Installation
You may be able to verify the files that this security update installed by reviewing the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Hotfixes\SP1\291
Microsoft thanks the following for working with us to help protect customers:
The UK National Infrastructure Security Co-ordination Centre (NISCC) for reporting the issue described in MS04-001. Obtaining other security updates:
Updates for other security issues are available from the following locations:
Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Updates for consumer platforms are available from the WindowsUpdate Web site. Support:
Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates. International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web Site. Security Resources:
The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Microsoft Software Update Services Microsoft Baseline Security Analyzer (MBSA): Please view Knowledge Base Article 306460 for list of security updates that have detection limitations with the MBSA tool. Windows Update Windows Update Catalog: Please view Knowledge Base Article 323166 for more information on the Windows Update Catalog. Office Update Systems Management Server (SMS):
Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. SMS also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer
Note: The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack’s Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted.
Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
V1.0 (January 13, 2004): Bulletin published
Contact Us | E-mail this Page | TechNet Newsletter