Microsoft Security Bulletin MS00-054
Patch Available for 'Malformed IPX Ping Packet' Vulnerability
Date Published: August 03, 2000
Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows 95, 98 and 98 Second Edition. The vulnerability could be used to cause an affected system to fail, and depending on the number of affected machines on a network, potentially could be used to flood the network with superfluous data. The affected system component generally is present only if it has been deliberately installed.
- Microsoft Windows 95
- Microsoft Windows 98
- Microsoft Windows 98 Second Edition
Vulnerability Identifier: CVE-2000-0742
The Microsoft IPX/SPX protocol implementation (NWLink) supports the IPX Ping command via the diagnostic port 0x456. Because of a flaw in the implementation of the protocol in Windows 95, Windows 98 and Windows 98 Second Edition, NWLink in these systems will respond to an IPX ping packet even when the source network address has been purposely modified to a broadcast address. This would give a malicious user an opportunity to launch an attack by broadcasting a single ping request - each affected machine that received the ping would respond to it, potentially resulting in a broadcast storm. In a large network, this could temporarily swamp the network's bandwidth. In addition, upon seeing its own response, each affected machine would attempt to process it, triggering a scenario that would culminate in the machine's failure. A machine that failed due to this vulnerability could be put back into service by rebooting.
IPX is not installed by default in Windows 98 and 98 Second Edition, and is only installed by default in Windows 95 if there is a network card present in the machine at installation time. Even when IPX is installed, a malicious user's ability to exploit this vulnerability would depend on whether he could deliver a Ping packet to an affected machine. Routers frequently are configured to drop IPX packets, and if such a router lay between the malicious user and an affected machine, he could not attack it. Routers on the Internet, as a rule, do not forward IPX packets, and this would tend to protect intranets from outside attack, as well as protecting machines connected to the Internet via dial-up connections. As discussed in the FAQ, the most likely scenario in which this vulnerability could be exploited would be one in which a malicious user on an intranet would attack affected machines on the same intranet, or one in which a malicious user on the Internet attacked affected machines on his cable modem or DSL subnet.
What's this bulletin about?
Microsoft Security Bulletin MS00-054 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows 95, 98 and 98 Second Edition. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a denial of service attack. A malicious user could use this vulnerability to cause an affected machine to fail; on larger networks, it could also be used to create a "broadcast storm", in which a single query would trigger a large number of responses that would consume network resources.
The chief limitation on this vulnerability is that the affected system component is usually not installed by default. Even if it was installed, the vulnerability could only be exploited in restricted circumstances. In a corporate setting, the vulnerability could only be exploited by a user who could log onto the network. In a home setting, the vulnerability could only be exploited if the machine was connected to the Internet via a cable modem or DSL connection, and the malicious user was on the same network segment as the affected machine. Neither Windows NT 4.0 nor Windows 2000 are affected by the vulnerability.
What causes the vulnerability?
The IPX implementation in the affected systems will accept and process a specially-malformed Ping packet, with the result that an affected machine would respond not to the sender but to the entire network, then fail altogether.
IPX (Internetworked Packet Exchange, or, more properly, IPX/SPX - Internetworked Packet Exchange/Sequenced Packet Exchange) is a networking protocol popularized by Novell Netware. Windows platforms implement IPX through the NWLink feature, which allows Windows and Netware computers to communicate.
IPX is primarily used in small- to medium-sized networks, because it's routable and relatively efficient. It's typically not used in large networks because, under IPX, machines periodically send broadcast messages to announce their continued presence on the network. In large networks these messages can cause network congestion.
Is this a problem in the IPX protocol?
No. The vulnerability has nothing to do with the protocol per se. It results because of an implementation error in the affected systems.
Is IPX installed by default?
In general, no. Windows 98 and Windows 98 Second Edition do not install IPX by default. Windows 95 does install IPX by default if there is a plug-and-play network card present in the machine when the system is installed - however, at the time when most Windows 95 systems were installed, there were very few plug-and-play network cards available, so it is likely that IPX is not installed on most Windows 95 systems.
What's a Ping packet?
The "Ping" function is a part of the IPX protocol, and enables a machine to determine whether another machine on the network is active. (Other protocols such as TCP/IP also implement a Ping function, but only the IPX Ping function is implicated in this vulnerability). When one machine needs to "ping" another machine, it sends a data packet that indicates the source and destination address (among other information), and indicates that a Ping is being requested.
What's wrong with the Ping packet at issue here?
The vulnerability causes the affected systems to handle a Ping packet inappropriately if the source address has been modified to be the broadcast address.
What do you mean by the broadcast address?
Like most networking protocols, IPX provides the ability to send a packet to every machine in the network by addressing it to the so-called broadcast address. In this vulnerability, however, the malicious user wouldn't send a Ping packet to the broadcast address - instead, he would provide the broadcast address as the source address.
What do you mean when you say that an affected system would handle such a packet inappropriately?
The broadcast address is clearly an invalid source address, and NWLink should simply drop such a packet when it receives it. Instead, it processes the packet, and, because of the malformation, responds to the entire network rather than to the requester.
What's the effect of responding to the entire network?
It would have two effects. First, it would cause the machine to respond to the "sender" of the Ping packet - the broadcast address. That is, it would cause the machine to send a Ping response to the entire network. This would require every machine that received it to process it. If a single machine sent a Ping reply to the entire network, it might not have a significant effect on the overall network. However, the malicious user might not send the packet to a single machine. He might set the destination address, as well as the source address, to broadcast, in order to cause every affected machine within broadcast range to respond to the entire network. Depending on the number of affected machines on the network, this could create a "broadcast storm" that could significantly impede network operations.
To see why, consider a case in which there are ten machines on the network. The malicious user would initiate the attack by sending a single malformed Ping packet to the broadcast address. Upon receiving the request, all ten machines would process it and reply via broadcast. Thus, by sending a single request, the malicious user would have succeeded in causing ten times as much traffic to be sent in response, and would have caused all ten machines to process the other machines' responses. Now consider the case where a thousand affected machines are on the network. In this case, a single malformed Ping packet would cause a thousand responses. If the number of affected machines were sufficiently high, the attack could cause the network to be swamped with responses.
The second effect would occur when an affected machine saw the response it sent. (The response was, after all, addressed to every machine on the network). The machine would try to process its own response, which would trigger a series of steps culminating in the machine's failure.
How long would the broadcast storm last?
It would be brief - first of all, because the responses wouldn't trigger any additional responses, and second because each affected machine would fail after seeing its response.
What would be needed to restore a machine to normal operation?
The machine could be restored to normal operation by rebooting it.
What would be necessary in order for a malicious user to exploit this vulnerability?
Three things would be needed:
- The user would need to be running an affected system - that is, Windows 95, 98 or 98 Second Edition.
- IPX would need to have been installed on the system. As discussed above, IPX is in general not installed by default
- The malicious user would need to be able to deliver an IPX packet to the machine.
The latter condition is noteworthy because it serves to significantly limit the vulnerability. IPX is a routable protocol, but many routers are configured to drop, rather than route, IPX packets. Such a router would serve as a barrier and protect any machines behind it - if the malicious user couldn't deliver the Ping packet, he couldn't exploit the vulnerability.
Who is at risk from this vulnerability?
Let's start with who's not at risk. If IPX isn't installed on the machine, the vulnerability can't affect it. Even if IPX were installed, a malicious user couldn't attack the machine via this vulnerability unless he could deliver an IPX Ping packet to it. As a rule, routers on the Internet are configured to drop IPX packets, and this would tend to prevent Internet-based attacks. Specifically, it would protect LAN users from being attacked by an external user, and would protect users who connect to the Internet via dial-up connection from being attacked.
Customers using an affected system on a LAN could be at risk from attack by an internal user, and customers who use DSL or cable modem to access the Internet could be at risk from an attack by a malicious user on the same subnet. However, in both cases, the network administrator could monitor the network, detect the malicious user's activity and remove him from the network. In addition, the risk to LAN users could be further reduced if the routers inside the network were configured to drop IPX packets, as they frequently are.
Are Windows NT 4.0 and Windows 2000 affected by the vulnerability?
Who should use the patch?
Microsoft recommends that customers who have IPX enabled and are using an affected system in a corporate LAN setting or accessing the Internet via DSL or cable modem consider installing the patch.
What does the patch do?
The patch eliminates the vulnerability by causing NWLink to ignore Ping requests containing the specific malformation at issue here.
How do I use the patch?
Knowledge Base article Q265334 contains detailed instructions for applying the patch.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How can I tell if I installed the patch correctly?
Knowledge Base article Q265334 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article Q265334 explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.
Download locations for this patch
- Microsoft Windows 95:
- Microsoft Windows 98 and Windows 98 Second Edition:
Installation platforms: Please see the following references for more information related to this issue.
- Microsoft Knowledge Base article Q265334 discusses this issue.
Support: This is a fully supported patch. Information on contacting Microsoft Technical Support is available at http://support.microsoft.com/contactussupport/?ws=support.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- August 03, 2000: Bulletin Created.