Microsoft Windows Workstation Service Remote Buffer Overflow Vulnerability

2003-11-11T00:00:00
ID SMNTC-9011
Type symantec
Reporter Symantec Security Response
Modified 2003-11-11T00:00:00

Description

Description

It has been reported that Microsoft Windows Workstation (WKSSVC.DLL) service is prone to a vulnerability that may allow a remote attacker to gain unauthorized access to a vulnerable host. The problem is in the handling of requests by the Workstation Service. The Workstation Service does not properly check bounds on remote data therefore making it possible to overwrite sensitive regions of system memory.

Technologies Affected

  • Cisco Broadband Troubleshooter
  • Cisco Building BroadBand Services Manager Hotspot 1.0.0
  • Cisco Building Broadband Service Manager 2.5.1
  • Cisco Building Broadband Service Manager 3.0.0
  • Cisco Building Broadband Service Manager 4.0.1
  • Cisco Building Broadband Service Manager 4.2.0
  • Cisco Building Broadband Service Manager 4.3.0
  • Cisco Building Broadband Service Manager 4.4.0
  • Cisco Building Broadband Service Manager 4.5.0
  • Cisco Building Broadband Service Manager 5.0.0
  • Cisco Building Broadband Service Manager 5.1.0
  • Cisco Call Manager 1.0.0
  • Cisco Call Manager 2.0.0
  • Cisco Call Manager 3.0.0
  • Cisco Call Manager 3.1.0 (2)
  • Cisco Call Manager 3.1.0 (3a)
  • Cisco Call Manager 3.1.0
  • Cisco Call Manager 3.2.0
  • Cisco Call Manager 3.3.0 (3)
  • Cisco Call Manager 3.3.0
  • Cisco Call Manager 4.0.0
  • Cisco Call Manager
  • Cisco CiscoWorks VPN/Security Management Solution
  • Cisco Collaboration Server
  • Cisco Conference Connection 1.1.0 (1)
  • Cisco Conference Connection 1.2.0
  • Cisco Conference Connection
  • Cisco Customer Response Application Server
  • Cisco DOCSIS CPE Configurator
  • Cisco Dynamic Content Adapter
  • Cisco E-Mail Manager
  • Cisco IP Call Center Express (IPCC Express) Enhanced 3.0.0
  • Cisco IP Call Center Express (IPCC Express) Standard 3.0.0
  • Cisco IP Telephony Environment Monitor
  • Cisco IP/TV Server
  • Cisco IP/VC 3540 Application Server
  • Cisco IP/VC 3540 Video Rate Matching Module
  • Cisco Intelligent Contact Manager 5.0.0
  • Cisco Intelligent Contact Manager
  • Cisco Internet Service Node
  • Cisco Lan Management Solution
  • Cisco Media Blender
  • Cisco Network Registar
  • Cisco Networking Services for Active Directory
  • Cisco Personal Assistant 1.3.0 (1)
  • Cisco Personal Assistant 1.3.0 (2)
  • Cisco Personal Assistant 1.3.0 (3)
  • Cisco Personal Assistant 1.3.0 (4)
  • Cisco Personal Assistant 1.4.0 (1)
  • Cisco Personal Assistant 1.4.0 (2)
  • Cisco Personal Assistant
  • Cisco QoS Policy Manager
  • Cisco Routed Wan Management
  • Cisco SN 5420 Storage Router 1.1.0 (2)
  • Cisco SN 5420 Storage Router 1.1.0 (3)
  • Cisco SN 5420 Storage Router 1.1.0 (4)
  • Cisco SN 5420 Storage Router 1.1.0 (5)
  • Cisco SN 5420 Storage Router 1.1.0 (7)
  • Cisco SN 5420 Storage Router 1.1.3
  • Cisco SN 5428 Storage Router SN5428-2-3.3.1-K9
  • Cisco SN 5428 Storage Router SN5428-2-3.3.2-K9
  • Cisco SN 5428 Storage Router SN5428-2.5.1-K9
  • Cisco SN 5428 Storage Router SN5428-3.2.1-K9
  • Cisco SN 5428 Storage Router SN5428-3.2.2-K9
  • Cisco SN 5428 Storage Router SN5428-3.3.1-K9
  • Cisco SN 5428 Storage Router SN5428-3.3.2-K9
  • Cisco Secure Access Control Server 3.2.0 (1.20)
  • Cisco Secure Access Control Server 3.2.1
  • Cisco Secure Access Control Server 3.2.2
  • Cisco Secure Access Control Server
  • Cisco Secure Policy Manager 3.0.1
  • Cisco Secure Scanner
  • Cisco Service Management
  • Cisco Small Network Management Solution
  • Cisco Trailhead
  • Cisco Transport Manager
  • Cisco Unity Server 2.0.0
  • Cisco Unity Server 2.1.0
  • Cisco Unity Server 2.2.0
  • Cisco Unity Server 2.3.0
  • Cisco Unity Server 2.4.0
  • Cisco Unity Server 2.46.0
  • Cisco Unity Server 3.0.0
  • Cisco Unity Server 3.1.0
  • Cisco Unity Server 3.2.0
  • Cisco Unity Server 3.3.0
  • Cisco Unity Server 4.0.0
  • Cisco Unity Server
  • Cisco User Registration Tool
  • Cisco Voice Manager
  • Cisco uOne Enterprise Edition
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Datacenter Server SP1
  • Microsoft Windows 2000 Datacenter Server SP2
  • Microsoft Windows 2000 Datacenter Server SP3
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Professional SP1
  • Microsoft Windows 2000 Professional SP2
  • Microsoft Windows 2000 Professional SP3
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Server SP4
  • Microsoft Windows XP 64-bit Edition
  • Microsoft Windows XP 64-bit Edition SP1
  • Microsoft Windows XP Home
  • Microsoft Windows XP Home SP1
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Professional SP1

Recommendations

Block external access at the network boundary, unless external parties require service.
Filter network traffic of questionable integrity at network boundaries. Use ingress and egress filtering to block the entry and exit of prohibited traffic. Since the service binds to a number of ports, including random ports over 1024, it is strongly encouraged that all ports that do not explicitly require remote access are filtered. Filter all traffic destined for internal broadcast addresses. Employ the use of a stateful inspection firewall or application proxy server to ensure that incoming UDP packets with source port 53 are in fact DNS packets and, of those, only expected replies to internally transmitted DNS queries are allowed in.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.
Use network intrusion detection systems to monitor networks for anomalous activity and report attempted attacks against network resources.

Disable any services that are not needed.
Systems not requiring the ability of remote users to execute commands should disable remote procedure call (RPC) where possible.

Microsoft has released security advisory MS03-049 to address this issue. Users are strongly advised to obtain fixes, as new attacker vectors greatly increase the speed of an attack on a targeted network. Cisco has released a security advisory detailing affected Cisco products. See referenced advisory for details concerning obtaining fixes.