Microsoft Security Bulletin MS06-031 Vulnerability in RPC Mutual Authentication Could Allow Spoofing (917736)

Microsoft Security Bulletin MS06-031
Vulnerability in RPC Mutual Authentication Could Allow Spoofing (917736)
Published: June 13, 2006

Version: 1.0
Summary

Who Should Read this Document: Customers who use Microsoft Windows

Impact of Vulnerability: Spoofing

Maximum Severity Rating: Moderate

Recommendation: Customers should consider applying the security update

Security Update Replacement: None

Caveats: None

Tested Software and Security Update Download Locations:

Affected Software:
•

Microsoft Windows 2000 Service Pack 4 — Download the update

Non-Affected Software:
•

Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2
•

Microsoft Windows XP Professional x64 Edition
•

Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1
•

Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems
•

Microsoft Windows Server 2003 x64 Edition
•

Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (Me)

The software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.
Top of sectionTop of section
General Information

Executive Summary

Executive Summary:

This update resolves a newly discovered, privately reported vulnerability. A spoofing vulnerability exists in the RPC service that could enable an attacker to spoof trusted network resource. The vulnerability is documented in the "Vulnerability Details" section of this bulletin.

Severity Ratings and Vulnerability Identifiers:
Vulnerability Identifiers Impact of Vulnerability Windows 2000

RPC Mutual Authentication Vulnerability - CVE-2006-2380

Spoofing

Moderate

This assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.
Top of sectionTop of section

Frequently Asked Questions (FAQ) Related to This Security Update

Extended security update support for Microsoft Windows 2000 Service Pack 3 ended on June 30, 2005. I am still using one of these operating systems, what should I do?
Windows 2000 Service Pack 3 has reached its end of life cycle. It should be a priority for customers who have this operating system version to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for this operating system version, visit the Microsoft Product Support Services Web site.

Customers who require custom support for these products must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Windows Operating System Product Support Lifecycle FAQ.

Can I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required?
The following table provides the MBSA detection summary for this security update.
Software MBSA 1.2.1 MBSA 2.0

Microsoft Windows 2000 Service Pack 4

Yes

Yes

For more information about MBSA, visit the MBSA Web site. For more information about the software that Microsoft Update and MBSA 2.0 currently do not detect, see Microsoft Knowledge Base Article 895660

Can I use Systems Management Server (SMS) to determine whether this update is required?
The following table provides the SMS detection summary for this security update.
Software SMS 2.0 SMS 2003

Microsoft Windows 2000 Service Pack 4

Yes

Yes

SMS uses MBSA for detection. Therefore, SMS has the same limitation that is listed earlier in this bulletin related to software that MBSA does not detect.

For SMS 2.0, the SMS SUS Feature Pack, which includes the Security Update Inventory Tool, can be used by SMS to detect security updates. SMS SUIT uses the MBSA 1.2.1 engine for detection. For more information about the Security Update Inventory Tool, visit the following Microsoft Web site. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460. The SMS SUS Feature Pack also includes the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.

For SMS 2003, the SMS 2003 Inventory Tool for Microsoft Updates can be used by SMS to detect security updates that are offered by Microsoft Update and that are supported by Windows Server Update Services. For more information about the SMS 2003 Inventory Tool for Microsoft Updates, visit the following Microsoft Web site. SMS 2003 can also use the Microsoft Office Inventory Tool to detect required updates for Microsoft Office applications.

For more information about SMS, visit the SMS Web site.
Top of sectionTop of section

Vulnerability Details

RPC Mutual Authentication Vulnerability - CVE-2006-2380:

There is a spoofing vulnerability in the way that RPC handles mutual authentication. This vulnerability could allow an attacker to persuade a user to connect to a malicious RPC server which appears to be valid.

Mitigating Factors for RPC Mutual Authentication Vulnerability - CVE-2006-2380:
•

An attacker would have no way to force users to connect to a malicious RPC server.
Top of sectionTop of section

Workarounds for RPC Mutual Authentication Vulnerability - CVE-2006-2380:

Microsoft has tested the following workarounds. Although these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section.
•

To help protect from network-based attempts to exploit this vulnerability, IPSec can be used to ensure the identity of a system.

Use Internet Protocol security (IPSec) to help protect network communications. Detailed information about IPSec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.
Top of sectionTop of section

FAQ for RPC Mutual Authentication Vulnerability - CVE-2006-2380:

What is the scope of the vulnerability?
This is a spoofing vulnerability which affects custom RPC applications acting as RPC clients using SSL with mutual authentication option. An attacker who successfully exploited this vulnerability could impersonate a valid RPC server.

What causes the vulnerability?
The affected product does not correctly validate the identity of RPC server while utilizing mutual authentication over Secure Socket Layer (SSL).

What is Mutual Authentication?
Both the client and the server machines will exchange credentials to verify identities before data is exchanged.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could impersonate a valid service.

Who could exploit the vulnerability?
An attacker would first need to persuade a user to connect to a resource which requires mutual authentication using Secure Sockets Layer (SSL). The attacker could then impersonate a valid RPC server. An attacker would have no way to force users to visit the RPC server.

How could an attacker exploit the vulnerability?
An attacker could try to exploit the vulnerability by persuading a user to connect to an RPC service which has been configured to impersonate a valid server.

What systems are primarily at risk from the vulnerability?
Workstations and servers are at risk from this vulnerability.

Could the vulnerability be exploited over the Internet?
Yes. An attacker could try to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT professionals can visit the Security Guidance Center Web site.

What does the update do?
The update removes the vulnerability by modifying the way that RPC handles mutual authentication.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
No. Microsoft received information about this vulnerability through responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued.

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:
•

Michael Colson of Symantec for reporting the RPC Mutual Authentication Vulnerability (CVE-2006-2380).

Revisions:
•

V1.0 (June 13, 2006): Bulletin published.