Microsoft Windows LSASS (Local Security Authority Subsystem Service) is prone to a remotely exploitable buffer overrun vulnerability. The specific vulnerable system component is LSASRV.DLL. Successful exploitation of this issue could allow a remote attacker to execute malicious code on a vulnerable system, resulting in full system compromise. This issue could be exploited by an anonymous user on Microsoft Windows 2000 and XP operating systems. The issue may reportedly only be exploited by local, authenticated users on Microsoft Windows Server 2003 and Microsoft Windows XP 64-Bit Edition 2003. Microsoft has stated that a local administrator could exploit the issue on these platforms, though this does not appear to pose any additional security risk as the administrator will likely already have complete control over the system.
Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.
Local attack vectors are reported to exist for this vulnerability. Do not permit untrusted individuals to have interactive access to the system. This will reduce exposure to privilege escalation attacks via this or other latent vulnerabilities.
Block external access at the network boundary, unless external parties require service.
Use multiple layers of network access control to regulate external or untrusted network traffic. This will help to limit exposure to exploitation of this and other latent vulnerabilities. This includes taking the general precaution of blocking RPC ports such as UDP ports 135-139 and 445 and TCP ports 135-139, 445 and 593. Specifically configured RPC ports and ports above 1024 should also be blocked if access to services on those ports is not explicitly required.
Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Deploy network intrusion detection systems to monitor network traffic for anomalous or suspicious activity. This may help in detecting attack attempts or activity that is the result of successful exploitation of this or other latent vulnerabilities.
Avaya has released an advisory to announce that Avaya System Products shipping on Microsoft platforms are also affected by this vulnerability. Avaya advise that customers follow the Microsoft recommendations for the resolution of this issue. The aforementioned advisory can be viewed at the following location: http://support.avaya.com/japple/css/japple?temp.groupID=&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=161384&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate() Microsoft has released fixes to address this issue. US-CERT has released an advisory TA04-104A to address this and other issues. Please see the referenced advisory for more information.