|
| From: | X-FORCE | | Date: | 14.04.2004 | | Subject: | ISS Security Brief: Microsoft SSL Library Remote Compromise Vulnerability |
-----BEGIN PGP SIGNED MESSAGE-----
Internet Security Systems Security Brief
April 13, 2004
Microsoft SSL Library Remote Compromise Vulnerability
Synopsis:
ISS X-Force has discovered a remotely exploitable buffer overflow
condition in the Microsoft Secure Sockets Layer (SSL) library. SSL is an
encryption technology commonly used to secure Web and email
communications. A buffer overflow condition occurs when processing PCT
1.0 handshake packets that can lead to remote, privileged compromise of
affected Windows installations.
Impact:
If any SSL-enabled services are present, and both the PCT 1.0 and SSL 2.0
protocols are enabled, remote attackers may exploit the buffer overflow
condition to execute arbitrary code on vulnerable Windows server
installations. This code would run with local system privileges. The
protocols necessary for remote exploitation are enabled by default in
Windows 2000 and Windows NT version 4.
Common vectors for exploitation might include Internet Information Server
(IIS), Exchange Server, Active Directory, and potentially any software
making use of the Microsoft SSL library including unlisted third-party
software.
The severity of this vulnerability is compounded by the fact that SSL is
most often used to secure communications involving confidential or
valuable financial information, and that Firewalls and packet filtering
alone will not be able to stop attacks. X-Force believes that hackers will
aggressively target this vulnerability given the high-value nature of Web
sites protected by SSL.
Affected Versions:
Microsoft Windows 2000 up to and including SP4
Microsoft Windows NT version 4 up to and including SP6a
Microsoft Windows XP up to SP1
Note: The SSL library included in Windows Server 2003 contains the
vulnerability. However, the PCT 1.0 protocol is disabled by default.
For the complete ISS X-Force Security Advisory, please visit:
http://xforce.iss.net/xforce/alerts/id/168
______
About Internet Security Systems (ISS)
Founded in 1994, Internet Security Systems (ISS) (Nasdaq: ISSX) is a
pioneer and world leader in software and services that protect critical
online resources from an ever-changing spectrum of threats and misuse.
Internet Security Systems is headquartered in Atlanta, GA, with
additional operations throughout the Americas, Asia, Australia, Europe
and the Middle East.
Copyright (c) 2004 Internet Security Systems, Inc. All rights reserved
worldwide.
Permission is hereby granted for the electronic redistribution of this
document. It is not to be edited or altered in any way without the
express written consent of the Internet Security Systems X-Force. If you
wish to reprint the whole or any part of this document in any other
medium excluding electronic media, please email xforce@iss.net for
permission.
Disclaimer: The information within this paper may change without notice.
Use of this information constitutes acceptance for use in an AS IS
condition. There are NO warranties, implied or otherwise, with regard to
this information or its use. Any use of this information is at the
user's risk. In no event shall the author/distributor (Internet Security
Systems X-Force) be held liable for any damages whatsoever arising out
of or in connection with the use or spread of this information.
X-Force PGP Key available on MIT's PGP key server and PGP.com's key server,
as well as at http://www.iss.net/security_center/sensitive.php
Please send suggestions, updates, and comments to: X-Force
xforce@iss.net of Internet Security Systems, Inc.
-----BEGIN PGP SIGNATURE-----
Version: 2.6.2
iQCVAwUBQHwhGjRfJiV99eG9AQG/KgP/TFTJjzZg/5lrX52D67Rh2JMrjSC4Sp5F
Qst/LElSiE0jFaZDFDWLMJnpovZOvzDknH0U+4Hy7FrYiUSvNz+2F4ktBsFwjjFs
F0sGJ1u/97MWbViRpPLY6iaw+N27RY5jmoa2E2pq57Ys/piQGY3Cvj/7/Xky1HTx
Qh/gD9Z4iKs=
=X1Px
-----END PGP SIGNATURE-----
|
