What's the scope of the vulnerability?
What's the scope of the vulnerability? This is a denial of service vulnerability. By sending a series of specially malformed requests to a domain controller, an attacker could cause most or all of the machine's memory to be unavailable, potentially preventing it from authenticating users. In the worst case, the net result could be that new users might be unable to log on, and logged-on users might be unable to use some network resources. To restore normal service, the administrator would need to reboot the domain controller.
If there were multiple domain controllers on a domain, the other machines would assume part of the affected machine's load. Also, if best practices have been followed, the vulnerability could only be exploited by a user within the network -- the ports used in this attack should be blocked at the firewall.
What causes the vulnerability?
This vulnerability results because one of the services used by Windows 2000 domain controllers contains a memory leak that can be triggered via a particular type of invalid service request.
What is a memory leak?
A memory leak is an implementation error that depletes the available memory on a system. As a process on a computer runs, its memory needs tend to vary, depending on exactly what the process is doing from one minute to the next. When the process needs more memory, it requests it from the operating system; when it no longer needs the additional memory, it should return it to the operating system so it can be allocated to other processes.
If a process doesn't correctly return memory to the operating system, the memory remains assigned to the process, even though the process is no longer using it, and the memory can't be re-allocated. This effectively makes the section of memory unavailable. In this case, one of the processes that runs on Windows 2000 domain controllers has a memory leak that occurs only when certain invalid requests are made of it.
What could an attacker do via this vulnerability?
By repeatedly sending the domain controller the invalid request at issue here, an attacker could deplete the available pool of memory to the point where the machine's ability to respond to other, valid requests would slow or stop altogether.
What would be the effect of slowing or stopping the domain controller?
Let's consider the worst case, in which there's only a single domain controller in the domain, and the attacker depleted the machine's memory to the point where it was unable to respond to any requests at all. In this case, the principal effect would be to prevent the domain controller from logging new users onto the domain, and to prevent the machine from responding to queries to the Active Directory.
Would this prevent previously logged-on users from using network resources?
Not necessarily. Recall that Windows 2000 uses Kerberos as its default authentication protocol. In Kerberos, the domain controller does not authenticate every use of network resources, but instead provides a reusable ticket the first time a user requests a particular resource. When the user subsequently needs to use a particular resource, the domain controller doesn't need to be involved in the authentication process.
The upshot of this is that even if the domain controller were completely unavailable, it wouldn't prevent users who already had Kerberos tickets from using them. They could continue accessing all resources for which they had tickets. However, it would prevent the domain controller from issuing any new tickets for other resources.
What if the domain had several domain controllers?
In domains that contain multiple domain controllers, the machines work together and shift their workloads dynamically. The more domain controllers there are in a single domain, the less noticeable the loss of a single one would be.
How could an affected domain controller be put back into service?
An affected domain controller could be put back into service by rebooting the machine.
Couldn't I just disable the service that contains the flaw?
No. The affected service is one of the core services on Windows 2000 domain controllers and cannot be disabled.
Could this vulnerability be exploited from the Internet?
If normal security practices have been followed (blocking of TCP ports 88 or 464 at the firewall), this vulnerability could only be exploited from within an internal corporate network. Typically, domain controllers are not used as network edge machines, and firewalling would prevent users outside the corporate network from levying any requests directly upon them. If these practices have been followed, Internet users would not be able to send the malformed request to the affected service, and as a result they would be unable to exploit the vulnerability.
Does this vulnerability affect Windows NT® 4.0 domain controllers?
No. Only Windows 2000 domain controllers are affected.
Who should use the patch?
Microsoft recommends that customers consider installing the patch on their Windows 2000 domain controllers
What does the patch do?
The patch eliminates the vulnerability by causing the affected service to correctly treat as invalid the request at issue here.
