ALERT-TSA-03-006

TSA 03-006 - Windows 2000 SP2 and SP3 NTDLL.DLL

Current Assessment: RED HOT

Initial Assessment: RED HOT

Current Assessment Date: March 24, 2003

Time: 1630 UTC

Threat: High, exploit code is being developed. We expect an acceleration of attacks and the possible creation of a worm based on this vulnerability.

Vulnerability Prevalence: High, NTDLL is universal on Win2K systems.

Cost: High, the potential exploit would allow remote execution under the permissions of the LOCAL_SYSTEM.  TruSecure Corporation (WWW.TruSecure.com) discovered today that knowledge of other attack vectors against NTDLL.DLL (see TruSecure ALERT TSA 03-005 and 03-005a) are known to the Security Underground Community. We therefore expect attacks, potentially against W2K devices beyond just IIS servers. There are numerous additional attack vectors against NTDLL.DLL.

It is therefore likely that within the near future multiple attacks attempting to exploit the vulnerability in NTDLL.DLL may surface and be used against your systems. Attacks may be network-based intrusion attempts, such as IIS or possibly FTP, NNTP, IMAP, etc... or within Email messages or Web Pages. Trojans may be built which include this attack method. They may come as attachments, or be found on public FTP servers. Further, publication of the details of the vulnerableapplications may lead to internal attacks based on code being run bya malicious, although trusted, user.

Reports of problems with the MS03-007 patch have been verified, and Microsoft has provided details on that Security Bulletin. Such problems only occur on systems running Windows 2000 with Service Pack 2 and, most importantly, any Hotfix from Microsoft Product Support Services where the Hotfix contained a NTOSKRNL.EXE with a version number between 5.0.2195.4797 and 5.0.2195.4928 (inclusive).

Windows 2000 machines at SP0 or SP1 are not vulnerable.

TruSecure strongly recommends that clients fully test the newly released patch prior to installing it in any production environment.

Previous recommendations (contained in TruSecure ALERT - TS 03-005 and TS 03-005a) still apply as reasonable preventative actions against the initial IIS attack vector (attacks using the WebDAV vector began with widespread activity yesterday), however TruSecure Corporation is today recommending that you apply the patch supplied in MS03-007/815021 as soon as practical.

TruSecure also believes that other synergistic controls like Outlook restrictions pointing to the Restricted Sites zone, file filters at the mail gateway, router default deny, and other recommendations that are part of the TruSecure Security Assurance Service will likely, but not certainly, work against potential future attacks against this pervasive vulnerability.

NTDLL.dll is a core operating system DLL and its functions are used by numerous applications. The initial exposure via the WEBDAV facilities in IIS 5.0 reflects only one path to the exploitable condition in the pre-patch NTDLL.dll. ANY application which processes data from untrusted sources has the potential to exploit the flaw on any W2K SP2 or SP3 device. This may include content received in email, content referenced in web-pages, desktop application flaws, p2p/chat clients, and so on.

We expect that a worm or multipartite attack similar to Nimda will eventually be created using this vulnerability as a primary mechanism. Such a broad "zero day" attack could be orchestrated as soon as 7-10 days, and is likely in the next month.

TruSecure believes that an appropriate strategy would be to focus first on Internet exposed Windows 2000 devices including IIS, FTP, Exchange, and other devices, then on Critical W2K devices, then on Desktops running W2K SP2 or SP3.

We believe that NTDLL will be the source vulnerability of many attacks to come, much like the script and unicode vulnerabilities have in the past.

MITIGATIONS:

1) Apply patch to affected W2K systems

2) Assure that other TruSecure synergistic controls are in place and functional

a. Perimeter Default Deny (including router and WAN / VPN gateways)

b. Essential Configurations for Windows Servers

c. Essential Configurations for Windows Desktops particularly focusing on restrictions to Script and Java Script activity (restricted site zones especially for mail),

d. Perimeter mail attachment filtering

Patch location:

http://www.microsoft.com/technet/security/bulletin/MS03-007.asp

Affected Systems:

Currently only Windows 2000 (Advanced Server, Server and Professional) systems with either Service Pack 2, or Service Pack 3, are affected if they have not already installed MS03-007/815021. Again, it is important not to attempt to install this patch on Windows 2000 SP2 systems which have a version of NTOSKRNL.EXE between 5.0.2195.4797 and 5.0.2195.4928 (inclusive).

Windows 2000 machines at SP0 or SP1 are not vulnerable. [Further, systems running Windows 2000 SP2 who apply MS03-007/815021 need to remember that applying Windows 2000 SP3 may revert your environment to being vulnerable. Confirmation of the migration from SP2 to SP3 reintroducing the vulnerable DLL is currently being tested by ICSA Labs, and the results will be available from your TruSecure Security Analyst. TruSecure Corporation therefore recommends that all customers upgrade to Windows 2000 SP3 or assure that this patch is re-applied after any SP3 upgrades] TruSecure will continue to update its clients as new intelligence becomes available.

In the TruSecure methodology of mitigating significant risks with easy to implement synergistic controls, TruSecure may initiate non-invasive independent testing on a sample of our clients related to these vulnerabilities. These assessments will attempt to verify the current state of anticipated attack vectors and assess the potential for successful exploit of this and other common attacks.

These are non-intrusive non-penetrating assessments. If this testing occurs, it will originate from the ICSA Labs and TruSecure network addresses from the netblock 12.36.173.0/24.

DISCLAIMER:

Copyright 2003 TruSecure Corporation. All rights reserved. This Alert is the property of the TruSecure Corporation. It may not be redistributed except within your own company or organization. This Alert is being provided for informational purposes only and is provided AS IS." The TruSecure Corporation makes no warranties of any kind, express or implied, including, but not limited to warranties of merchantability, fitness for a particular purpose, non-infringement, and warranties arising out of any course of dealing or course of conduct.  Impenetrable security is unattainable in real world environments; the TruSecure Corporation cannot and does not guarantee protection against breaches of security.

IN NO EVENT WILL THE TRUSECURE CORPORATION BE LIABLE FOR ANY BUSINESS INTERRUPTION, LOST REVENUE, PROFITS OR DATA, OR FOR DAMAGES OF ANY KIND, HOWEVER CAUSED, ARISING OUT OF YOUR USE OF OR INABILITY TO USE THE INFORMATION CONTAINED IN THIS WARNING, OR YOUR FAILURE TO RECEIVE ANY PRIOR OR FUTURE ALERTS, WATCHES OR WARNINGS, EVEN IF THE TRUSECURE CORPORATION HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.