Date: Thu, 29 Jan 2004 15:45:00 -0500
From: Cisco Systems Product Security Incident Response Team <psirt@cisco.com.>
To: [email protected]Subject: Cisco Security Advisory: Buffer Overrun in Microsoft Windows 2000 Workstation Service (MS03-049)
Cc: [email protected]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Cisco Security Advisory: Buffer Overrun in Microsoft Windows 2000
Workstation Service (MS03-049)
Revision 1.0 - FINAL
For Public Release 2004 January 29 18:00 UTC (GMT)
- -----------------------------------------------------------------------
Contents
========
Summary
Affected Products
Details
Impact
Software Versions and Fixes
Obtaining Fixed Software
Workarounds
Exploitation and Public Announcements
Status of This Notice: FINAL
Distribution
Revision History
Cisco Security Procedures
- -----------------------------------------------------------------------
Summary
=======
This advisory describes a vulnerability that affects Cisco products and
applications running on Microsoft Windows 2000.
A vulnerability has been discovered that enables an attacker to execute
arbitrary code or perform a denial of service (DoS) against the server.
These vulnerabilities were discovered and publicly announced by
Microsoft in their Microsoft Security Bulletin MS03-049. More
information about the vulnerability can be found at the following URL:
http://www.microsoft.com/technet/security/bulletin/MS03-049.asp
All Cisco products and applications that are using unpatched Microsoft
Windows 2000 are vulnerable.
This advisory is available at:
http://www.cisco.com/warp/public/707/cisco-sa-20040129-ms03-049.shtml
Affected Products
=================
To determine if a product is vulnerable, review the list below. If the
software versions or configuration information are provided, then only
those combinations are vulnerable. This is a list of appliance software
which needs patches downloaded from Cisco.
* Cisco CallManager
* Cisco Building Broadband Service Manager (BBSM)
+ BBSM Version 5.2
+ HotSpot 1.0
* Cisco Customer Response Application Server (CRA)
* Cisco Personal Assistant (PA)
* Cisco Conference Connection (CCC)
* Cisco Emergency Responder (CER)
* Cisco IP Call Center Express (IPCC Express)
* Cisco Internet Service Node (ISN)
Other Cisco products which run on a Microsoft based operating system
should strongly consider loading the patch from Microsoft at the
following URL:
http://www.microsoft.com/technet/security/bulletin/MS03-049.asp
This list is not all inclusive. Please refer to Microsoft's bulletin if
you think you have an affected Microsoft platform.
* Cisco Unity
* Cisco Building Broadband Service Manager (BBSM) versions 5.1 and
prior
* Cisco uOne Enterprise Edition
* Cisco Latitude products
* Cisco Network Registrar (CNR)
* Cisco Internet Service Node (ISN)
* Cisco Intelligent Contact Manager (ICM) (Hosted and Enterprise)
* Cisco IP Contact Center (IPCC) (Express and Enterprise)
* Cisco E-mail Manager (CEM)
* Cisco Collaboration Server (CCS)
* Cisco Dynamic Content Adapter (DCA)
* Cisco Media Blender (CMB)
* TrailHead (Part of the Web Gateway solution)
* Cisco Networking Services for Active Directory (CNS/AD)
* Cisco SN 5400 Series Storage Routers (driver to interface to
Windows server)
* CiscoWorks
+ CiscoWorks VPN/Security Management Solution (CWVMS)
+ User Registration Tool
+ Lan Management Solution
+ Routed WAN Management
+ Service Management
+ VPN/Security Management Solution
+ IP Telephony Environment Monitor
+ Small Network Management Solution
+ QoS Policy Manager
+ Voice Manager
* Cisco Transport Manager (CTM)
* Cisco Broadband Troubleshooter (CBT)
* DOCSIS CPE Configurator
* Cisco Secure Applications
+ Cisco Secure Scanner
+ Cisco Secure Policy Manager (CSPM)
+ Access Control Server (ACS)
* Videoconferencing Applications
+ IP/VC 3540 Video Rate Matching Module
+ IP/VC 3540 Application Server
* Cisco IP/TV Server
Details
=======
Default installations of Microsoft Windows 2000 Server automatically
enable the Workstation service. This vulnerability is not isolated to
Microsoft Windows 2000 Workstation edition.
The Microsoft Windows 2000 Workstation service is vulnerable to buffer
overflows and denial of service (DoS) attacks. This vulnerability can
be exploited to execute arbitrary code on a computer system or to
disrupt normal operation of the server.
The vulnerability has been described in more detail at the following
URL:
http://www.microsoft.com/technet/security/bulletin/MS03-049.asp
Impact
======
According to Microsoft, an attacker could gain System privileges on an
affected system, or could cause the Workstation service to fail. For a
full list of symptoms and for the most up to date information, please
see Microsoft's Bulletin at the following URL:
http://www.microsoft.com/technet/security/bulletin/MS03-049.asp
Software Versions and Fixes
Affected Cisco IP Telephony Applications: for all versions of Cisco
CallManager and all compatible versions of Cisco IP Interactive Voice
Response (IP IVR), Cisco IP Call Center Express (IPCC Express), Cisco
Personal Assistant (PA), Cisco Emergency Responder (CER), Cisco
Conference Connection (CCC), and Cisco Internet Service Node (ISN).
Customers should apply the win-OS-Upgrade-k9.2000-2-5sr4.exe or later
package located at the following URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/cmva-3des?psrtdcat20e2
Cisco Building Broadband Service Manager
For BBSM Version 5.2, apply BBSM52SP2.exe found at the following URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/bbsm52
Instructions for installing service patches on BBSM can be found at the
following URL:
http://cco.cisco.com/en/US/products/sw/netmgtsw/ps533/products_user_guide_chapter09186a00801da1bc.html
Cisco HotSpot 1.0
For HotSpot1.0, apply Service Pack 1 available at the following URL:
http://www.cisco.com/pcgi-bin/tablebuild.pl/bbsmhs10
Obtaining Fixed Software
Where Cisco provides the operating system bundled with the product,
Cisco is offering software upgrades free of charge to address these
vulnerabilities for all affected customers. Customers may only install
and expect support for the feature sets they have purchased.
Customers with contracts should obtain upgraded software through their
regular update channels. For most customers, this means that upgrades
should be obtained through the Software Center on Cisco's worldwide
website at http://www.cisco.com.
Customers whose Cisco products are provided or maintained through prior
or existing agreement with third-party support organizations such as
Cisco Partners, authorized resellers, or service providers should
contact that support organization for assistance with the upgrade,
which should be free of charge.
Customers who purchase direct from Cisco but who do not hold a Cisco
service contract and customers who purchase through third-party vendors
but are unsuccessful at obtaining fixed software through their point of
sale should get their upgrades by contacting the Cisco Technical
Assistance Center (TAC). TAC contacts are as follows.
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: [email protected]
Please have your product serial number available and give the URL of
this notice as evidence of your entitlement to a free upgrade. Free
upgrades for non-contract customers must be requested through the TAC.
Please do not contact either "[email protected]" or
"[email protected]" for software upgrades.
If you need assistance with the implementation of the workarounds, or
have questions on the workarounds, please contact the Cisco Technical
Assistance Center (TAC).
* +1 800 553 2447 (toll free from within North America)
* +1 408 526 7209 (toll call from anywhere in the world)
* e-mail: [email protected]
See http://www.cisco.com/warp/public/687/Directory/DirTAC.shtml for
additional TAC contact information, including special localized
telephone numbers and instructions and e-mail addresses for use in
various languages.
Workarounds
===========
Currently there are no known active worms exploiting this
vulnerability. However, users can protect themselves from the potential
infection by applying access control lists (ACLs).
The Workstation service receives packets on UDP and TCP ports 138, 139
and 445. Restricting traffic to these ports may help mitigate the
spread of any worm that exploits this vulnerability. Restricting
traffic to these ports may also help prevent improper access, DoS, and
other non-worm related exploitation.
Please also reference the Microsoft posting for additional workarounds:
http://www.microsoft.com/technet/security/bulletin/MS03-049.asp
Customers who have firewalls, or have deployed Network Intrusion
Detection Systems (NIDS) and/or Host Intrusion Detection Systems (HIDS)
in their network may be able to use these devices to detect attempted
exploitation or protect themselves from exploitation of this
vulnerability. Customers with these products should refer to their
product documentation from their vendor for information on how to
properly configure these devices.
Customers who have Cisco IDS devices installed in their network can
find more information at the following URL:
http://www.cisco.com/pcgi-bin/front.x/csec/csecHome.pl
Exploitation and Public Announcements
The Cisco PSIRT is not aware of any active exploitation of this
vulnerability.
Status of This Notice: FINAL
This is a final advisory. Although Cisco cannot guarantee the accuracy
of all statements in this advisory, all of the facts have been checked
to the best of our ability. Cisco does not anticipate issuing updated
versions of this advisory. Should there be a significant, material
change in the facts, Cisco may update this advisory.
A stand-alone copy or paraphrase of the text of this security advisory
that omits the distribution URL in the following section is an
uncontrolled copy, and may lack important information or contain
factual errors.
Distribution
============
This advisory will be posted on Cisco's worldwide website at
http://www.cisco.com/warp/public/707/cisco-sa-20040129-ms030-049.shtml
In addition to worldwide web posting, a text version of this notice is
clear-signed with the Cisco PSIRT PGP key and is posted to the
following e-mail and Usenet news recipients.
* [email protected]
* [email protected]
* [email protected]
* [email protected]
* [email protected] (includes CERT/CC)
* [email protected]
* [email protected]
* comp.dcom.sys.cisco
* Various internal Cisco mailing lists
Future updates of this advisory, if any, will be placed on Cisco's
worldwide website, but may or may not be actively announced on mailing
lists or newsgroups. Users concerned about this problem are encouraged
to check the above URL for any updates.
Revision History
================
+----------------------------------------+
| Revision | | Initial |
| 1.0 | 2004-January-29 | public |
| | | release. |
+----------------------------------------+
Cisco Security Procedures
Complete information on reporting security vulnerabilities in Cisco
products, obtaining assistance with security incidents, and registering
to receive security information from Cisco, is available on Cisco's
worldwide website at:
http://www.cisco.com/warp/public/707/sec_incident_response.shtml
This includes instructions for press inquiries regarding Cisco
security notices. All Cisco security advisories are available at
http://www.cisco.com/go/psirt.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.3 (SunOS)
iD8DBQFAGXivezGozzK2tZARAhk7AKD6b14z4fwTE8SFtg1hztVLvJp0nwCgkGwA
d0sYGIdzumtmlyWXaqUcqmw=
=2WYM
-----END PGP SIGNATURE-----
