Microsoft Security Bulletin MS02-010

Discussion in 'other security issues & news' started by Zhen-Xjell, Feb 21, 2002.

Thread Status:
Not open for further replies.
  1. Zhen-Xjell

    Zhen-Xjell Security Expert

    Joined:
    Feb 8, 2002
    Posts:
    1,397
    Location:
    Ohio
    -----BEGIN PGP SIGNED MESSAGE-----

    - ----------------------------------------------------------------------
    Title:      Unchecked Buffer in ISAPI Filter Could Allow Commerce
               Server Compromise
    Date:       21 February 2002
    Software:   Commerce Server 2000
    Impact:     Run code of attacker's choice.
    Max Risk:   Critical
    Bulletin:   MS02-010

    Microsoft encourages customers to review the Security Bulletin at:
    http://www.microsoft.com/technet/security/bulletin/MS02-010.asp.
    - ----------------------------------------------------------------------

    Issue:
    ======
    By default, Commerce Server 2000 installs a .dll with an ISAPI
    filter that allows the server to provide extended functionality in
    response to events on the server. This filter, called AuthFilter,
    provides support for a variety of authentication methods.
    Commerce Server 2000 can also be configured to use other
    authentication methods.

    A security vulnerability results because AuthFilter contains an
    unchecked buffer in a section of code that handles certain types
    of authentication requests. An attacker who provided
    authentication data that overran the buffer could cause the
    Commerce Server process to fail, or could run code in the
    security context of the Commerce Server process. The
    process runs with LocalSystem privileges, so exploiting the
    vulnerability would give the attacker complete control of
    the server.

    Mitigating Factors:
    ====================
    - Although Commerce Server 2000 does rely on IIS for its base
      web services, the AuthFilter ISAPI filter is only available
      as part of Commerce Server. Customers using IIS are at no
      risk from this vulnerability.

    - The URLScan tool, if deployed using the default ruleset for
      Commerce Server, would make it difficult if not impossible
      for an attacker to exploit the vulnerability to run code,
      by significantly limiting the types of data that could be
      included in an URL. It would, however, still be possible
      to conduct denial of service attacks.

    - An attacker's ability to extend control from a compromised
      web server to other machines would depend heavily on the
      specific configuration of the network. Best practices recommend
      that the network architecture account for the inherent high-risk
      that machines in an uncontrolled environment, like the Internet,
      face by minimizing overall exposure though measures like DMZ's,
      operating with minimal services and isolating contact with
      internal networks. Steps like this can limit overall exposure
      and impede an attacker's ability to broaden the scope of a
      possible compromise.

    - While the ISAPI filter is installed by default, it is not loaded
      on any web site by default. It must be enabled through the
      Commerce Server Administration Console in the Microsoft
      Management Console (MMC).

    Risk Rating:
    ============
    - Internet systems: Critical
    - Intranet systems: Critical
    - Client systems: None

    Patch Availability:
    ===================
    - A patch is available to fix this vulnerability. Please read the
      Security Bulletin at
      http://www.microsoft.com/technet/security/bulletin/ms02-010.asp
      for information on obtaining this patch.

    - ---------------------------------------------------------------------

    THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
    PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS
    ALL
    WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE
    WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
    IN NO EVENT
    SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY
    DAMAGES
    WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL,
    LOSS OF
    BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR
    ITS
    SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
    STATES DO
    NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL
    OR
    INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

    -----BEGIN PGP SIGNATURE-----
    Version: PGP 7.1

    iQEVAwUBPHWRCY0ZSRQxA/UrAQGE3wf9FsHKJiV0wzzZRY3byHVAliHUAOU7y4bc
    ELpzwfbQ3jLeVFLlY9IH6/EOTjuYEzzssed85SlH5sH2wdkbBlCpjtXtPfdO5Igh
    sBLd6lH405alQevQiicUCT6xYDagAM88vZp0umPJ6XAL1o/9VeIXQOYfG31/Uw67
    FCyKNjVEqB12qoo5/20A61CGoqifTeIDLqFxJYP2HycfT+LYPSOUC4k4t7joPpUq
    v4MQrNrJ9jcFF+6fJB7atVZfM5nGSEJyY54pot6nVzuLxwsQYcGxcuaD9tRropVY
    x5CpAhgCpQBqBgaourCNSCv8abVT4lpgDm5xFvRTedbExZ6nDpqGhQ==
    =i/9P
    -----END PGP SIGNATURE-----


    *******************************************************************

    You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification   Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.

    To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.

    To cancel your subscription, click on the following link mailto:1_26140_1E81A08D-A2CD-4E10-8D7F-16D1039270F8_US@Newsletters.Microsoft.com?subject=UNSUBSCRIBE to create an unsubscribe e-mail.

    To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_26140_1E81A08D-A2CD-4E10-8D7F-16D1039270F8_US@Newsletters.Microsoft.com?subject=STOPMAIL to create an unsubscribe e-mail.  You can manage all your Microsoft.com communication preferences from http://www.microsoft.com/misc/unsubscribe.htm

    For security-related information about Microsoft products, please  visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
     
Loading...
Thread Status:
Not open for further replies.