-----BEGIN PGP SIGNED MESSAGE----- CERT Advisory CA-2003-28 Buffer Overflow in Windows Workstation Service Original release date: November 11, 2003 Last revised: -- Source: CERT/CC A complete revision history is at the end of this file. Systems Affected * Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 * Microsoft Windows XP * Microsoft Windows XP Service Pack 1 * Microsoft Windows XP 64-Bit Edition Overview A buffer overflow vulnerability exists in Microsoft's Windows Workstation Service (WKSSVC.DLL). A remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service. I. Description Microsoft's Security Bulletin MS03-049 discusses a buffer overflow in Microsoft's Workstation Service that can be exploited via a specially crafted network message. According to the eEye Digital Security Advisory AD20031111, the vulnerability is caused by a flaw in the network management functions of the DCE/RPC service and a logging function implemented in Workstation Service (WKSSVC.DLL). Various RPC functions will permit the passing of long strings to the vsprintf() routine that is used to create log entries. The vsprintf() routine contains no bounds checking for parameters thus creating a buffer overflow situation. The CERT/CC is tracking this issue as VU#567620. This reference number corresponds to CVE candidate CAN-2003-0812. II. Impact A remote attacker could exploit this vulnerability to execute arbitrary code with system-level privileges or to cause a denial of service. The exploit vector and impact for this vulnerability are conducive to automated attacks such as worms. III. Solution Apply a patch from your vendor Apply the appropriate patch as specified in Microsoft Security Bulletin MS03-049. Appendix A contains additional information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below or in the individual vulnerability notes, we have not received their comments. Please contact your vendor directly. Restrict access You may wish to block access from outside your network perimeter, specifically by blocking access to TCP & UDP ports 138, 139, and 445. This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate. Disable the Workstation Service Depending on site requirements, you may wish to disable the Workstation Service as described in MS03-049. Disabling the Workstation Service will help protect against this vulnerability, but may also cause undesirable side effects. According to the Microsoft's Security Bulletin, the impacts of disabling the Workstation Service are as follows: "If the Workstation service is disabled, the system cannot connect to any shared file resources or shared print resources on a network. Only use this workaround on stand-alone systems (such as many home systems) that do not connect to a network. If the Workstation service is disabled, any services that explicitly depend on the Workstation service do not start, and an error message is logged in the system event log. The following services depend on the Workstation service: * Alerter * Browser * Messenger * Net Logon * RPC Locator These services are required to access resources on a network and to perform domain authentication. Internet connectivity and browsing for stand-alone systems, such as users on dial-up connections, on DSL connections, or on cable modem connections, should not be affected if these services are disabled. Note: The Microsoft Baseline Security Analyzer will not function if the Workstation service is disabled. It is possible that other applications may also require the Workstation service. If an application requires the Workstation service, simply re-enable the service. This can be performed by changing the Startup Type for the Workstation service back to Automatic and restarting the system." Appendix A. - Vendor Information This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below or in the individual vulnerability notes, we have not received their comments. Microsoft Corporation Microsoft has released MS03-049. _________________________________________________________________ This vulnerability was discoved by eEye Digital Security and reported in Microsoft Security Bulletin MS03-049. _________________________________________________________________ Author: Jason A Rafail. ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2003-28.html ______________________________________________________________________ CERT/CC Contact Information Email: cert@cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo@cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2003 Carnegie Mellon University. Revision History Nov 11, 2003: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBP7F0nJZ2NNT/dVAVAQG7/wQAmaU+HCKRv46mZx8QJv2GetcS+2F9oJeZ V5Yb6vZc+e/PldD3eVLNPLsAlSX2eKE8ecjaY429vuzoaELQXk/9fnpI3EwhduwQ kmcUQ5zZ56yFo0tA+Ym6ksaGi/tMSUlPwZuvV/B/iS9vMXN7hcZr9eYmNey/vJuj R2c4QCey+R8= =/wxG -----END PGP SIGNATURE-----