Security Briefs: Two Protocol Vulnerabilities Disclosed

TCP vulnerability exploit found in the wild; buffer overflow weakness uncovered in Microsoft PCT protocol

Microsoft TCP Vulnerability Exploit Revealed

An exploit for a transmission control protocol (TCP) vulnerability is now in the wild, warns CERT. By exploiting the vulnerability, attackers can reset TCP sessions and send packets with forged IP and TCP information, ultimately creating a denial-of-service attack.

The vulnerability affects Cisco’s voice over IP (VoIP) software, and virtually every Microsoft operating system, not including Windows XP, as well as various types of hardware from BlueCoat, Check Point, Cisco, Cray, IETF, InterNiche, and SEIL. Security experts are still testing products; more may be affected.

Symantec says vulnerable products “will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing for denial-of-service attacks.”

Long-lived TCP connections and “known or easily guessed” IP addresses are especially at risk, the company says.

Still, Symantec says the vulnerability doesn’t seem to be immediately threatening companies.

“At this time, Symantec has seen no evidence of systems being widely impacted by this exploit,” says Vincent Weafer, senior director of Symantec Security Response. “Internet service providers are aware of the TCP flaw and fixes have been made available for some time by multiple vendors. As a result, Symantec does not feel that this exploit will have an immediate impact on Internet activity, disrupt Internet traffic, or cause system outages.”

Symantec recommends security managers immediately patch their systems. Other workarounds include activating IPSEC (IP security) to encrypt TCP protocol data during transmission.

“While there are serious risks if systems are left unpatched, the majority of the systems should be safe,” says Weafer.

More information:http://securityresponse.symantec.com/avcenter/security/Content/10183.html

Microsoft PCT Vulnerability Exploit Released

CERT warned that exploit code in the wild targets a “critical” Microsoft Private Communication Technology (PCT) protocol buffer overflow vulnerability. A successful attack could give an attacker system-level privileges and do anything on a machine, including installing programs or deleting files.

In addition, CERT says there’s evidence of active scanning and attempts to exploit this vulnerability, especially via ports 443/tcp—using SSL—and 31337/tcp. Note, however, “the exploit code could be modified to use a different port or to execute different code,” the organization warns.

PCT is “a proprietary protocol developed by Microsoft and Visa International as an alternative to SSL 2.0,” according to Internet Security Systems (ISS).

The vulnerability affects most Microsoft operating systems, including Windows XP and Windows Server 2003, as well as Microsoft NetMeeting. Vulnerability-information-service provider Secunia says the vulnerability is due to “a boundary error within the Microsoft Secure Sockets Layer (SSL) library when checking message inputs.” A specially crafted PCT message will allow an attacker to execute arbitrary code.

The vulnerability’s broad impact is due to its occurring in a system library, not just a particular program. “Any third-party application that uses Microsoft SSL functions is also vulnerable,” advises ISS.

The PCT vulnerability is just one of 14 Windows vulnerabilities Microsoft just announced. Secunia rates many of them as “highly critical.”

For example, attackers can use a Local Security Authority Subsystem Service boundary error to cause a buffer overflow and potentially gain full access to a system, though “the vulnerability can reportedly only be exploited remotely on Windows 2000 and Windows XP systems,” notes Secunia.

Another vulnerability, the Windows Local Security Authority Subsystem Service, can be exploited via a properly crafted LDAP message to reboot a Windows 2000 domain controller and gain escalated privileges.

Secunia recommends IT managers install patches immediately.

Patch:
http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.