Microsoft Security Bulletin MS04-001

Vulnerability in Microsoft Internet Security and Acceleration Server 2000 H.323 Filter Could Allow Remote Code Execution (816458)

Issued: January 13, 2004
Version: 1.0

Summary

Who should read this document:
Customers who use Microsoft® Internet Security and Acceleration Server 2000

Impact of vulnerability:
Remote Code Execution

Maximum Severity Rating:
Critical

Recommendation:
Customers should install the security update immediately

Security Update Replacement:
None

Caveats:
None

Tested Software and Security Update Download Locations:

Affected Software:

Microsoft Internet Security and Acceleration Server 2000 - Download the update
Microsoft Small Business Server 2000 (which includes Microsoft Internet Security and Acceleration Server 2000) - Download the Update
Microsoft Small Business Server 2003 (which includes Microsoft Internet Security and Acceleration Server 2000) - Download the Update

Non Affected Software:

Microsoft Proxy Server 2.0

The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version.

General Information

Technical Details


Microsoft Internet Security and Acceleration Server 2000	Critical

Workarounds

Frequently Asked Questions

What is the scope of the vulnerability?
This is a buffer overflow vulnerability. An attacker who successfully exploited this vulnerability could cause code to run in the security context of the Microsoft Firewall Service on ISA Server 2000. An attacker who successfully exploited this vulnerability could also gain complete control over the system.

What causes the vulnerability?
This vulnerability results because of the way that the H.323 filter checks the boundaries on specially crafted H.323 traffic.

What is the H.323 Filter?
The H.323 filter is an application filter that ISA Server 2000 uses to monitor and control traffic using H.323 and T.120 protocols. The H.323 protocol is used in IP telephony applications to transfer audio and video communications. The T.120 protocol is used in IP telephony applications to transfer data such as whiteboard, file transfer, or remote desktop data. The H.323 filter is enabled by default on ISA Server 2000.

What is the Microsoft Firewall Service?
ISA Server's Microsoft Firewall Service allows Internet applications to perform as if they were directly connected to the Internet. These services redirect the necessary communications functions to an ISA Server, establishing a communication path from the internal application to the Internet through the server computer.
The service eliminates the need for a specific gateway for each protocol, such as Simple Mail Transfer Protocol (SMTP), Telnet, File Transfer Protocol (FTP), or H.323 protocol.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could cause code to run in the security context of the Microsoft Firewall Service on ISA Server 2000. An attacker who successfully exploited this vulnerability could gain complete control over the system.

Does this update contain any other security changes?
Yes. The update also corrects an issue with the Call Control tab of the H.323 filter setting. Before this update if you clicked to clear the Allow Incoming Calls check box in the Call Control tab of the H.323 filter settings, the filter would not be configured to stop listening on the external TCP port 1720. This update corrects this problem. After the update, clicking to select this option correctly configures the filter to stop listening on the external TCP port 1720. The Microsoft Firewall Service must be restarted for this setting to take effect.
If the network that the H.323 filter is helping to protect intends to use only outgoing H.323 traffic, it is recommended that you disable Allow Incoming Calls to enhance security.

What does the update do?
The update removes the vulnerability by modifying the way that the H.323 filter validates H.323 traffic.

I have installed the H.323 Gatekeeper Service. Is the H.323 Gatekeeper Service vulnerable?
No. The H.323 Gatekeeper Service does not contain the vulnerability that is associated with this update. However, if the H.323 Gatekeeper Service has been installed on the system, an updated version of gksvc.dll will be installed with this update. The H.323 Gatekeeper Service is not installed by default.

If I install the H.323 Gatekeeper Service after I apply this update, do I need to re-apply the update?
Yes. If setup components are re-installed, all updates should be re-applied.

Security Update Information

ISA Server 2000, ISA Server 2000 Feature Pack 1, Small Business Server 2000, Small Business Server 2000 Service Pack 1, Small Business Server 2003

Prerequisites

This security update requires ISA Server Service Pack 1 (SP1).

For additional information about how to obtain the latest ISA Server service pack, click the following article number to view the article in the Microsoft Knowledge Base:

313139 How to Obtain the Latest Internet Security and Acceleration Server Service Pack

Inclusion in future service packs:

The fix for this issue will be included in ISA Server 2000 Service Pack 2.

Installation Information

This security update supports the following Setup switches:

-? : Show the list of installation switches.

/q : Use Quiet mode (no user interaction).

-UHF <X> : Remove hotfix number <X> (where <X> is the number of the hotfix).

-nostart : Do not start the stopped services

Deployment Information

To install the security update without any user intervention, use the following command line:

ISA2000-KB816458-x86.exe -q

Restart Requirement

You do not have to restart your computer after you apply this update. The ISA services are restarted when applying this update.

Removal Information

To remove this update, use the Add or Remove Programs tool in Control Panel. To do so, click ISA Server 2000 Updates, click Change, click ISA Hot Fix 291, and then click Remove

File Information

The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.

Date	Time	Version	Size	File Name
16-Dec-2003	17:16	3.0.1200.291	140,560	Gksvc.dll	X86
16-Dec-2003	17:16	3.0.1200.291	209,168	H323asn1.dll	X86
16-Dec-2003	17:16	3.0.1200.291	86,800	H323fltr.dll	X86

Note: Gksvc.dll will only be installed if the H.323 Gatekeeper Service is installed on the ISA Server. If the H.323 Gatekeeper Service is not installed, gksvc.dll will not be installed and will not exist on the system. This service is not installed by default.

The English version of this fix can be used for all languages of the product.

Verifying Update Installation

You may be able to verify the files that this security update installed by reviewing the following registry key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Hotfixes\SP1\291

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

The UK National Infrastructure Security Co-ordination Centre (NISCC) for reporting the issue described in MS04-001.

Obtaining other security updates:

Updates for other security issues are available from the following locations:

Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
Updates for consumer platforms are available from the WindowsUpdate Web site.

Support:

Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates.
International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web Site.

Security Resources:

The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Microsoft Software Update Services
Microsoft Baseline Security Analyzer (MBSA): Please view Knowledge Base Article 306460 for list of security updates that have detection limitations with the MBSA tool.
Windows Update
Windows Update Catalog: Please view Knowledge Base Article 323166 for more information on the Windows Update Catalog.
Office Update

Systems Management Server (SMS):

Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. SMS also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer

Note: The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 (January 13, 2004): Bulletin published