Microsoft Security Bulletin MS04-008

Vulnerability in Windows Media Services Could Allow a Denial of Service (832359)

Issued: March 9, 2004
Version: 1.0

Summary

Who Should Read This Document:
Customers who are using Microsoft® Windows® 2000

Impact of Vulnerability:
Denial of Service

Maximum Severity Rating:
Moderate

Recommendation:
Systems administrators should consider applying the security update to systems that are running Windows 2000 Server and that have Windows Media Services 4.1 installed.

Security Update Replacement:
None

Caveats:
None

Tested Software and Security Update Download Locations:

Affected Software

Microsoft Windows 2000 Server Service Pack 2, Microsoft Windows 2000 Server Service Pack 3, Microsoft Windows 2000 Server Service Pack 4 -Download the update

Non Affected Software

Microsoft Windows NT® Workstation 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows 2000 Professional Service Pack 2, Microsoft Windows 2000 Professional Service Pack 3, Microsoft 2000 Professional Service Pack 4
Microsoft Windows XP, Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows Server™ 2003
Microsoft Windows Server 2003 64-Bit Edition

Tested Microsoft Windows Components:

Affected Components:

Windows Media Services 4.1 (included with Microsoft Windows 2000 Server)

Non Affected Components:

Windows Media Services 9.0 Series (included with Microsoft Windows Server 2003)
Windows Media Services 4.1 (available for download for Windows NT4 Server)

The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version.

General Information

Technical Details

Technical description:

A vulnerability exists because of the way that Windows Media Station Service and Windows Media Monitor Service, components of Windows Media Services, handle TCP/IP connections. If a remote user were to send a specially-crafted sequence of TCP/IP packets to the listening port of either of these services, the service could stop responding to requests and no additional connections could be made. The service must be restarted to regain its functionality.

Windows Media Services is made up of Windows Media Services Administrator and four Windows Media Services components running on a single computer:

By using Windows Media Unicast Service, Windows Media content can be streamed over unicast, using either TCP or UDP as a transport, to Microsoft Windows Media Player or to another Windows Media server.

Windows Media Station Service performs three key functions:

It arranges one or more streams of content (also known as a "playlist" or "program") for subsequent streaming.
It multicasts the playlist or program to Windows Media Player or to another Windows Media server.
It distributes the playlist or program locally to Windows Media Unicast Service for subsequent unicasting to Windows Media Player or to another Windows Media server.

Windows Media Program Service is a dependent service of Windows Media Station Service. Windows Media Program Service helps the server administrator build playlists of Windows Media content using Windows Media Services Administrator and persist those playlists for future use.

Windows Media Monitor Service is the administrative console of Windows Media Services.

Note Windows Media Unicast Service may also be affected by a successful attack against Windows Media Station Service if Windows Media Unicast Service is sourcing a playlist from Windows Media Station Service. In this case, Windows Media Unicast Service could stop functioning when it encounters the next item in the playlist. An administrator can stream media by using Windows Media Unicast Service without a playlist.

Mitigating factors:

The Windows Media Services component is not installed by default.
Windows Media Services can be configured to offer streaming media over unicast only and would then not be affected by this vulnerability. This configuration would mean that different media streams from the same server could not be added into a playlist.
Microsoft recommends that customers enable Windows Media Unicast Service only on Internet-facing sockets and ports and not the other components of Windows Media Services. If this practice is followed, the attack surface would not be exposed to the Internet.
Customers who administer their Windows Media Services servers directly from the console or through a Terminal Services session are not affected by any successful Denial of Service attempts against Windows Media Monitor Service. Windows Media Monitor Service would not be accessible remotely, only locally.
If you have disabled Windows Media Station Service and Windows Media Monitor Service, you are not affected by this vulnerability.

Severity Rating:


Microsoft Windows 2000 Server	Moderate

The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.

Vulnerability identifier: CAN-2003-0905

Workarounds

Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability. However, they help block known attack vectors. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below.

Block ports 7007 and 7778 at your firewall.
If you do not stream media over TCP to the Internet, you can block TCP port 7007. Also, block port 7778, which is used to administer Windows Media Services through Windows Media Monitor Service. Windows Media Services uses these ports. By blocking these ports at the firewall, you can help prevent systems that are behind the firewall from being attacked by attempts to exploit this vulnerability.
Impact of Workaround: If you block port 7007, you will prevent multicast streams and the enabling of playlists from functioning across the firewall. If you block port 7778, you will prevent administrative functions from functioning across the firewall.
Administer your Windows Media Services from the console or through a Terminal Services session.
Administer your Windows Media Services servers directly from the console or through a Terminal Services session. If you do this, you will not be affected by any successful denial of service attempts against Windows Media Monitor Service. The reason for this is that the service can still be accessed and used from the desktop of the system that is hosting Windows Media Services even after a successful denial of service attack has been taken place.
Impact of Workaround: None.
Stop, disable, or remove Windows Media Station Service.
Stop, disable, or remove Windows Media Station Service.
Impact of Workaround: Stopping, disabling, or removing Windows Media Station Service will cause multicast streams or the enabling of playlists to not function.
Disable or remove Windows Media Monitor Service.
Disable or remove Windows Media Monitor Service.
Impact of Workaround: Disabling or removing Windows Media Monitor Service will prevent the possibility of administering Windows Media Services.

Frequently asked questions

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who successfully exploited the vulnerability could cause Windows Media Station Service or Windows Media Monitor Service running on a system that is running Windows 2000 Server to stop responding to new requests. For Windows Media Station Service, the result would be that the service would not accept any new TCP connections. New requests for media would not be serviced, nor would subsequent items in a playlist be serviced. For of Windows Media Monitor Service, the result would be that the service would not accept any new TCP connections; however, the server administrator could use Terminal Services to log on remotely and administer Windows Media Services.

What causes the vulnerability?
The vulnerability exists because the process by which Windows Media Station Service and Windows Media Monitor Service validate TCP requests could cause both services to stop accepting new connection requests.

What is Windows Media Services?
Windows Media Services is a Windows server component that enables content to be streamed from a Windows Media server to Windows Media clients over the Internet or over an intranet. Clients who receive the content can render, as in play or display, it as it is being received without first downloading the content.

What components are installed on my system when I install Windows Media Services?
Windows Media Services is made up of four Windows services:

Windows Media Unicast Service. This service provides unicast streaming over the Internet or over an intranet.
Windows Media Station Service. This service provides multicast streaming. To be able to use multicast streaming, all routers between the server and the client must have multicast enabled.
Windows Media Program Service. This service provides a sequential program, or playlist, to Windows Media Station Service. Playlists can also be used by Windows Media Unicast Service, which uses features in Windows Media Station Service and Windows Media Program Service to operate.
Windows Media Monitor Service. This is a helper service to Windows Media Services; it monitors client and server connections and is the service through which Windows Media Services is administered.

What are the unicast and multicast methods of media streaming?
Unicast and multicast media streaming are methods of delivering media content to clients across a network.
Unicast is a file transfer process where a separate copy of the data is sent from the server to each client that requests it.
Multicast is a file transfer process where a single copy of the data is sent, but all clients access that single stream in progress. Multiple copies of data are not sent across the network. For more information about multicast media streaming, see the Multicast Streaming with Windows Media Services 4.1 Web site.

What might the vulnerability allow an attacker to do?
An unauthenticated attacker could send a specially-crafted sequence of TCP/IP packets to the server, which could cause Windows Media Station Service to stop accepting new requests. Windows Media Station Service would still be able to stream media on TCP connections that have already been made, but it would not accept new requests. New requests for media would not be serviced. Requests for the next item in a playlist would also not be serviced because they are essentially new requests.
To recover from this state, an administrator would have to restart the service.

Who could exploit the vulnerability?
An unauthenticated attacker who could connect to Windows Media Station Service or to Windows Media Monitor Service could exploit this vulnerability by causing the services to stop responding to new requests.

What systems are primarily at risk from the vulnerability?
Apply this update to systems that have Windows Media Center Services for Windows 2000 Server installed.

I am running Windows Media Services 4.1 on Windows NT4 Server. Am I affected by this vulnerability?
No. Windows Media Services 4.1 (available for download for Windows NT4 Server) is not affected by this vulnerability.

What does the update do?
The update makes sure that Windows Media Station Service and Windows Media Monitor Service correctly validate TCP requests.

Security Update Information

Other Information

Acknowledgments

Microsoft thanks the following for working with us to help protect customers:

Qualys for reporting the issue.

Obtaining other security updates:

Updates for other security issues are available from the following locations:

Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
Updates for consumer platforms are available from the Windows Update Web site.

Support:

Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates.
International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web site.

Security Resources:

The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
Microsoft Software Update Services
Microsoft Baseline Security Analyzer (MBSA)
Windows Update
Windows Update Catalog: Please view Knowledge Base Article 323166 for more information on the Windows Update Catalog.
Office Update

Software Update Services:

Microsoft Software Update Services (SUS) enables administrators to quickly and reliably deploy the latest critical updates and security updates to Windows® 2000 and Windows Server™ 2003-based servers, as well as to desktop computers running Windows 2000 Professional or Windows XP Professional.

For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.

Systems Management Server:

Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web site. For detailed information about the many enhancements to the security update deployment process that SMS 2003 provides, please visit the SMS 2003 Security Patch Management Web site. For users of SMS 2.0, it also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer

Note: The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

V1.0 (March 9, 2004): Bulletin published