MS02-070 - Flaw in SMB Signing Could Enable.....

[Steven]

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------

Title: Flaw in SMB Signing Could Enable Group Policy to be

Modified (309376)

Released: 11 December 2002

Revised: 22 January 2003 (version 2.0)

Software: Microsoft Windows 2000

Microsoft Windows XP

Impact: Modify group policy.

Max Risk: Moderate

Bulletin: MS02-070

Microsoft encourages customers to review the Security Bulletin at:

http://www.microsoft.com/technet/security/...in/MS02-070.asp.

- ----------------------------------------------------------------------

Reason for Revision:

====================

Subsequent to releasing this bulletin it was determined that the

fix was not included in Microsoft Windows XP Service Pack 1. The

bulletin has been updated to reflect this, and the patch had been

updated so that it installs on Windows XP Service Pack 1 systems.

Customers who are currently running XP Service Pack 1 should apply

the patch.

Issue:

======

Server Message Block (SMB) is a protocol natively supported by all

versions of Windows. Although nominally a file-sharing protocol, it

is used for other purposes as well, the most important of which is

disseminating group policy information from domain controllers to

newly logged on systems. Beginning with Windows 2000, it is possible

to improve the integrity of SMB sessions by digitally signing all

packets in a session. Windows 2000 and Windows XP can be configured

to always sign, never sign, or sign only if the other party requires

it.

A flaw in the implementation of SMB Signing in Windows 2000 and

Windows XP could enable an attacker to silently downgrade the SMB

Signing settings on an affected system. To do this, the attacker

would need access to the session negotiation data as it was exchanged

between a client and server, and would need to modify the data in a

way that exploits the flaw. This would cause either or both systems

to send unsigned data regardless of the signing policy the

administrator had set. After having downgraded the signing setting,

the attacker could continue to monitor the session and change data

within it; the lack of signing would prevent the communicants from

detecting the changes.

Although this vulnerability could be exploited to expose any SMB

session to tampering, the most serious case would involve changing

group policy information as it was being disseminated from a Windows

2000 domain controller to a newly logged-on network client. By doing

this, the attacker could take actions such as adding users to the

local Administrators group or installing and running code of his or

her choice on the system.

Mitigating Factors:

====================

- Exploiting the vulnerability would require the attacker to have

significant network access already. In most cases, the attacker

would need to be located on the same network segment as one of

the two participants in the SMB session.

- The attacker would need to exploit the vulnerability separately

for each SMB session he or she wanted to interfere with.

- The vulnerability would not enable the attacker to change group

policy on the domain controller, only to change it as it flowed

to the client.

- SMB Signing is disabled by default on Windows 2000 and Windows

XP because of the performance penalty it exacts. On networks

where SMB Signing has not been enabled, the vulnerability would

pose no additional risk - because SMB data would already be

vulnerable to modification.

Risk Rating:

============

- Windows 2000: Moderate

- Windows XP: Low

Patch Availability:

===================

- A patch is available to fix this vulnerability. Please read the

Security Bulletin at

http://www.microsoft.com/technet/security/...in/ms02-070.asp

for information on obtaining this patch.

- ---------------------------------------------------------------------

Edited January 23, 2003 by xStainDx

[Steven]

Updated This Because Microsoft "Accidently" Left the Patch out of XP SP1.