Microsoft Security Bulletin MS02-006

Technical description:

On February 12 2002, Microsoft released the original version of this bulletin. In it, we detailed a work-around procedure that customers could implement to protect themselves against a publicly disclosed vulnerability. An updated version of this bulletin was released on February 15, 2002, to announce the availability of the patch for Windows 2000 and Windows XP and to advise customers that the work-around procedure is no longer needed on those platforms. Patches for additional platforms are forthcoming and this bulletin will be re-released to annouce their availability.

On March 5, 2002, Microsoft released an updated version of the bulletin annoucing the availability of a patch for Windows NT 4.0 and to advise customers that the work-around procedure is no longer needed for that platform. Patches for additional platforms are forthcoming and this bulletin will be re-released to annouce their availability.

On March 11, 2002, Microsoft released an updated version of the bulletin annoucing the availability of a patch for Windows NT 4.0 Terminal Server Edition and to advise customers that the work-around procedure is no longer needed for that platform. Patches for additional platforms are forthcoming and this bulletin will be re-released to annouce their availability.

On March 14, 2002, Microsoft discovered that the English and German patches for Windows NT 4.0 Terminal Server Edition contained incorrect files. We have corrected this error and posted updates versions of this patch for these languages. We recommend that customers who have downloaded the Windows NT 4.0 Terminal Server Edition patch in English or German prior to March 14, 2002 install the updated version. Customers who have installed the Windows NT 4.0 Terminal Server Edition patches in any language other than English or German do not need to take any action: these patches do not contain the error.

On April 26, 2002, Microsoft released an updated version of the bulletin annoucing the availability of a patch for Windows 98 and Windows 98SE and to advise customers that the work-around procedure is no longer needed for that platform.

Simple Network Management Protocol (SNMP) is an Internet standard protocol for managing disparate network devices such as firewalls, computers, and routers. All versions of Windows except Windows ME provide an SNMP implementation, which is neither installed nor running by default in any version.

A buffer overrun is present in all implementations. By sending a specially malformed management request to a system running an affected version of the SNMP service, an attacker could cause a denial of service. In addition, it is possible that he could cause code to run on the system in LocalSystem context. This could potentially give the attacker the ability to take any desired action on the system.

Mitigating factors:

• The SNMP service is neither installed nor running by default in any version of Windows.
• Standard firewalling practices recommend blocking the port over which SNMP operates (UDP ports 161 and 162). If these recommendations have been followed, the vulnerability could only be exploited by an intranet user.
• Standard security recommendations recommend against using SNMP except on trusted networks, as the protocol, by design, provides minimal security.

Severity Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The SNMP service does not install by default on any version of Windows. Additionally, following well-known best practices for using SNMP (blocking at the router) protects against attempts to exploit this vulnerability.

Vulnerability identifier: CAN-2002-0053

Tested Versions:

Microsoft tested Windows 95, Windows 98, Windows 98SE, Windows ME, Windows NT 4.0, Windows 2000, and Windows XP to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Why is Microsoft re-releasing this bulletin?
Microsoft originally released this bulletin to advise customers of a workaround procedure that could be used while a patch was under development. Microsoft has completed the patches for all platforms, and have updated the bulletin to advise customers of their availability.
After releasing the patches for Windows NT 4.0 Terminal Server Edition, it was discovered on March 14, 2002 that the patches for English and German contained incorrect files. We have corrected the error and provided an updated patch.

What's the scope of the vulnerability? 
This is a buffer overrun vulnerability. If a particular service had been installed and was running on an affected system, it could be possible for an attacker to cause a denial of service on the system. In addition, it is possible that they could run code of their choice.
The service at issue in this vulnerability is neither installed nor running by default on any version of Windows. In addition, the circumstances under which the vulnerability could be exploited would likely prevent it from being exploited by an Internet-based attacker.

What causes the vulnerability? 
The vulnerability results because the component of the SNMP agent service that parses incoming commands contains an unchecked buffer. By sending a specially malformed request, it could be possible conduct a buffer overrun attack against an affected system.

What is SNMP? 
SNMP (Simple Network Management Protocol) is a protocol that allows administrators to remotely manage network devices such as servers, workstations, routers, bridges, firewalls, and so forth. SNMP is an industry-standard protocol, which allows devices made by many different vendors to be managed via the protocol.

How does SNMP work? 
In order for an administrator to use SNMP, there has to be an agent - that is, a service that listens for commands and executes them - on every machine that needs to be managed. Next, the administrator needs to know a password (known in SNMP parlance as a community name) that provides either read-only or read-write access, as appropriate. When the administrator issues a management command, the SNMP software on his system refers to a database (called the Management Information Base) that translates those commands to one that will be meaningful to the other machine.

How secure is SNMP? 
SNMP is, by design, not a secure protocol. For instance, all communications in SNMP take place in plaintext, so community names and other potentially sensitive information could potentially be determined by monitoring the network. Microsoft has long recommended using other, more secure methods of managing networks, and this is why the SNMP agent service that ships with Windows platforms is neither installed nor running by default.

What Windows products provide SNMP support? 
An SNMP agent service is included in Windows 95, Windows 98, Windows 98SE, Windows NT 4.0, Windows 2000, and Windows XP. However, it's neither installed nor running by default in any of them. Windows ME doesn't provide an SNMP service of any kind.

Which products' SNMP services are affected by the vulnerability? 
All SNMP services are affected. This includes: Windows 95, Windows 98, Windows 98SE, Windows NT 4.0 and Windows 2000, and Windows XP.

What's wrong with the SNMP implementations in the affected products? 
The SNMP implementations in the affected products have an unchecked buffer in a part of the software that processes management requests. If the SNMP agent service received a management request that's malformed in a particular way, the effect would be to overrun the buffer. If the data in the management request were carefully chosen, it would have the effect of altering the operation of the SNMP service while it was running.

What would this enable an attacker to do? 
An attacker who successfully exploited this vulnerability could cause a denial of service in the SNMP service. In addition, it is possible that they could change the operation of the SNMP service. Because it runs as part of the operating system, this would potentially give the attacker complete control over the system.

Who could exploit the vulnerability? 
To exploit the vulnerability, the attacker would need to be able to deliver SNMP management requests to the SNMP Service.

How difficult would it be for the attacker to deliver SNMP Management requests to an affected system? 
It's likely that an attacker located within a network could deliver SNMP management requests to most other systems on the network, since SNMP operates over TCP/IP. However, if normal firewalling has been performed, it might be impossible for an attacker located on the Internet to deliver management requests to a system behind the firewall, as standard firewalling recommendations include blocking UDP ports 161 and 162, the ports over which SNMP traffic travels.

How likely is it that a web server or other Internet-exposed system would be vulnerable? 
If best practices have been followed, SNMP wouldn't be used on an Internet-exposed machine. As we discussed above, SNMP is not a secure protocol, and as a result it's never appropriate to use SNMP to manage a system on the Internet.

How do I disable the SNMP service? 
Just follow the steps for the system you're using.

• Windows 95, 98 and 98SE:
  1. In Control Panel, double-click Network.
  2. On the Configuration tab, select Microsoft SNMP Agent from the list of installed components.
  3. Click Remove

  Check the following keys and confirm that snmp.exe is not listed.

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
• Windows NT 4.0 (including Terminal Server Edition) :
  1. Select Start, then Settings.
  2. Select Control Panel, then click on the Services Icon
  3. Locate SNMP on the list of services, then select it and click Stop.
  4. Select Startup, and click Disabled.
  5. Click OK to close the dialoge, then close Control Panel
• Windows 2000:
  1. Right-click on My Computer and select Manage
  2. Click on Services and Applications, then on Services
  3. Location SNMP on the list of services, then select it and click Stop.
  4. Select Startup, and click Disabled.
  5. Click OK to close the dialogue, then close the Computer Management window.
• Windows XP:
  1. Right-click on My Computer and select Manage
  2. Click on Services and Applications, then on Services
  3. Location SNMP on the list of services, then select it and click Stop.
  4. Select Startup, and click Disabled.
  5. Click OK to close the dialogue, then close the Computer Management window.

I previously disabled the SNMP Service on Windows 2000 or Windows XP. How do I re-enable the SNMP service? 
Just follow the steps for the system you're using only if the service was running before and you want it to run again.

• Windows 2000:
  1. Right-click on My Computer and select Manage
  2. Click on Services and Applications, then on Services
  3. Locate SNMP on the list of services, then select it.
  4. Right-click and select Properties, select Startup, and click Automatic.
  5. Click OK to close the dialogue.
  6. Right-click and select Start.
  7. Close the Computer Management window.
• Windows XP:
  1. Right-click on My Computer and select Manage
  2. Click on Services and Applications, then on Services
  3. Locate SNMP on the list of services, then select it.
  4. Right-click and select Properties, select Startup, and click Automatic.
  5. Click OK to close the dialogue.
  6. Right-click and select Start.
  7. Close the Computer Management window.

I haven't installed the SNMP service on my system. Am I at any risk? 
No. You're only at risk if the SNMP service is running.

What does the patch do? 
The patch eliminates the vulnerability by instituting proper input checking on the command parser in the SNMP agent service.

I downloaded the Windows NT 4.0 Terminal Server Edition patch for English or German prior to March 14, 2002, what should I do?
You should download the updated patches and use those to update your system.

I installed the earlier version of these patches on my system, what do I need to do? 
Once you've downloaded the updated patch, you can apply that to your system. It will overwrite the previous version of the patch. There is no need to uninstall the previous version.

I've downloaded a Windows NT 4.0 Terminal Server Edition patch in a language other than English or German, do I need to do anything? 
No. The problem only affects the patches in English and German. Patches in other languages do not suffer from this problem and do not need to be re-downloaded or re-applied.

Download locations for this patch

• Microsoft Windows 98/98SE:

  http://download.microsoft.com/download/WIN98/UPDATE/23433/W98/EN-US/314147USA8.EXE

• Windows NT 4.0:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=84FC577D-F2D5-47B8-AB98-77BA7501B00B&displaylang=en

• Windows NT 4.0 Terminal Server Edition:

  http://www.microsoft.com/downloads/details.aspx?FamilyID=d66ab7b0-e735-44ac-bfe6-9f8a1aabab80

• Windows 2000:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en

• Windows XP:

  http://www.microsoft.com/downloads/details.aspx?FamilyId=84FC577D-F2D5-47B8-AB98-77BA7501B00B&displaylang=en