Microsoft Security Bulletin MS02-006 - Moderate

Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run

Published: February 12, 2002 | Updated: May 09, 2003

Version: 6.1

Originally posted: February 12, 2002
Updated: May 09, 2003

Summary

Who should read this bulletin: System administrators who use Simple Network Management Protocol to manage Microsoft® Windows® 95, 98, 98SE, Windows NT® 4.0, Windows 2000 or Windows XP systems

Impact of vulnerability: Denial of Service, potentially run code of attacker's choice

Maximum Severity Rating: Moderate

Recommendation: Customers using SNMP on Windows 2000 and Windows XP should apply the patch. All other customers should disable SNMP service if running; apply patch when available

Affected Software:

  • Microsoft Windows 95
  • Microsoft Windows 98
  • Microsoft Windows 98SE
  • Microsoft Windows NT 4.0
  • Microsoft Windows NT 4.0 Server, Terminal Server Edition
  • Microsoft Windows 2000
  • Microsoft Windows XP

General Information

Technical details

Technical description:

On February 12 2002, Microsoft released the original version of this bulletin. In it, we detailed a work-around procedure that customers could implement to protect themselves against a publicly disclosed vulnerability. An updated version of this bulletin was released on February 15, 2002, to announce the availability of the patch for Windows 2000 and Windows XP and to advise customers that the work-around procedure is no longer needed on those platforms. Patches for additional platforms are forthcoming and this bulletin will be re-released to announce their availability.

On March 5, 2002, Microsoft released an updated version of the bulletin announcing the availability of a patch for Windows NT 4.0 and to advise customers that the work-around procedure is no longer needed for that platform. Patches for additional platforms are forthcoming and this bulletin will be re-released to announce their availability.

On March 11, 2002, Microsoft released an updated version of the bulletin announcing the availability of a patch for Windows NT 4.0 Terminal Server Edition and to advise customers that the work-around procedure is no longer needed for that platform. Patches for additional platforms are forthcoming and this bulletin will be re-released to announce their availability.

On March 14, 2002, Microsoft discovered that the English and German patches for Windows NT 4.0 Terminal Server Edition contained incorrect files. We have corrected this error and posted updates versions of this patch for these languages. We recommend that customers who have downloaded the Windows NT 4.0 Terminal Server Edition patch in English or German prior to March 14, 2002 install the updated version. Customers who have installed the Windows NT 4.0 Terminal Server Edition patches in any language other than English or German do not need to take any action: these patches do not contain the error.

On April 26, 2002, Microsoft released an updated version of the bulletin announcing the availability of a patch for Windows 98 and Windows 98SE and to advise customers that the work-around procedure is no longer needed for that platform.

Simple Network Management Protocol (SNMP) is an Internet standard protocol for managing disparate network devices such as firewalls, computers, and routers. All versions of Windows except Windows ME provide an SNMP implementation, which is neither installed nor running by default in any version.

A buffer overrun is present in all implementations. By sending a specially malformed management request to a system running an affected version of the SNMP service, an attacker could cause a denial of service. In addition, it is possible that he could cause code to run on the system in LocalSystem context. This could potentially give the attacker the ability to take any desired action on the system.

Mitigating factors:

  • The SNMP service is neither installed nor running by default in any version of Windows.
  • Standard firewalling practices recommend blocking the port over which SNMP operates (UDP ports 161 and 162). If these recommendations have been followed, the vulnerability could only be exploited by an intranet user.
  • Standard security recommendations recommend against using SNMP except on trusted networks, as the protocol, by design, provides minimal security.

Severity Rating:

Internet Servers Intranet Servers Client Systems
Windows 95 None None Moderate
Windows 98 None None Moderate
Windows 98SE None None Moderate
Windows ME None None None
Windows NT 4.0 Low Moderate Moderate
Windows NT 4.0 Terminal Server Edition Low Moderate None
Windows 2000 Low Moderate Moderate
Windows XP None None Moderate

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The SNMP service does not install by default on any version of Windows. Additionally, following well-known best practices for using SNMP (blocking at the router) protects against attempts to exploit this vulnerability.

Vulnerability identifier: CAN-2002-0053

Tested Versions:

Microsoft tested Windows 95, Windows 98, Windows 98SE, Windows ME, Windows NT 4.0, Windows 2000, and Windows XP to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

Why is Microsoft re-releasing this bulletin?
Microsoft originally released this bulletin to advise customers of a workaround procedure that could be used while a patch was under development. Microsoft has completed the patches for all platforms, and have updated the bulletin to advise customers of their availability. After releasing the patches for Windows NT 4.0 Terminal Server Edition, it was discovered on March 14, 2002 that the patches for English and German contained incorrect files. We have corrected the error and provided an updated patch.

What's the scope of the vulnerability?
This is a buffer overrun vulnerability. If a particular service had been installed and was running on an affected system, it could be possible for an attacker to cause a denial of service on the system. In addition, it is possible that they could run code of their choice. The service at issue in this vulnerability is neither installed nor running by default on any version of Windows. In addition, the circumstances under which the vulnerability could be exploited would likely prevent it from being exploited by an Internet-based attacker.

What causes the vulnerability?
The vulnerability results because the component of the SNMP agent service that parses incoming commands contains an unchecked buffer. By sending a specially malformed request, it could be possible conduct a buffer overrun attack against an affected system.

What is SNMP?
SNMP (Simple Network Management Protocol) is a protocol that allows administrators to remotely manage network devices such as servers, workstations, routers, bridges, firewalls, and so forth. SNMP is an industry-standard protocol, which allows devices made by many different vendors to be managed via the protocol.

How does SNMP work?
In order for an administrator to use SNMP, there has to be an agent - that is, a service that listens for commands and executes them - on every machine that needs to be managed. Next, the administrator needs to know a password (known in SNMP parlance as a community name) that provides either read-only or read-write access, as appropriate. When the administrator issues a management command, the SNMP software on his system refers to a database (called the Management Information Base) that translates those commands to one that will be meaningful to the other machine.

How secure is SNMP?
SNMP is, by design, not a secure protocol. For instance, all communications in SNMP take place in plaintext, so community names and other potentially sensitive information could potentially be determined by monitoring the network. Microsoft has long recommended using other, more secure methods of managing networks, and this is why the SNMP agent service that ships with Windows platforms is neither installed nor running by default.

What Windows products provide SNMP support?
An SNMP agent service is included in Windows 95, Windows 98, Windows 98SE, Windows NT 4.0, Windows 2000, and Windows XP. However, it's neither installed nor running by default in any of them. Windows ME doesn't provide an SNMP service of any kind.

Which products' SNMP services are affected by the vulnerability?
All SNMP services are affected. This includes: Windows 95, Windows 98, Windows 98SE, Windows NT 4.0 and Windows 2000, and Windows XP.

What's wrong with the SNMP implementations in the affected products?
The SNMP implementations in the affected products have an unchecked buffer in a part of the software that processes management requests. If the SNMP agent service received a management request that's malformed in a particular way, the effect would be to overrun the buffer. If the data in the management request were carefully chosen, it would have the effect of altering the operation of the SNMP service while it was running.

What would this enable an attacker to do?
An attacker who successfully exploited this vulnerability could cause a denial of service in the SNMP service. In addition, it is possible that they could change the operation of the SNMP service. Because it runs as part of the operating system, this would potentially give the attacker complete control over the system.

Who could exploit the vulnerability?
To exploit the vulnerability, the attacker would need to be able to deliver SNMP management requests to the SNMP Service.

How difficult would it be for the attacker to deliver SNMP Management requests to an affected system?
It's likely that an attacker located within a network could deliver SNMP management requests to most other systems on the network, since SNMP operates over TCP/IP. However, if normal firewalling has been performed, it might be impossible for an attacker located on the Internet to deliver management requests to a system behind the firewall, as standard firewalling recommendations include blocking UDP ports 161 and 162, the ports over which SNMP traffic travels.

How likely is it that a web server or other Internet-exposed system would be vulnerable?
If best practices have been followed, SNMP wouldn't be used on an Internet-exposed machine. As we discussed above, SNMP is not a secure protocol, and as a result it's never appropriate to use SNMP to manage a system on the Internet.

How do I disable the SNMP service?
Just follow the steps for the system you're using.

  • Windows 95, 98 and 98SE:

    1. In Control Panel, double-click Network.
    2. On the Configuration tab, select Microsoft SNMP Agent from the list of installed components.
    3. Click Remove

    Check the following keys and confirm that snmp.exe is not listed.

    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
  • Windows NT 4.0 (including Terminal Server Edition) :

    1. Select Start, then Settings.
    2. Select Control Panel, then click on the Services Icon
    3. Locate SNMP on the list of services, then select it and click Stop.
    4. Select Startup, and click Disabled.
    5. Click OK to close the dialoge, then close Control Panel
  • Windows 2000:

    1. Right-click on My Computer and select Manage
    2. Click on Services and Applications, then on Services
    3. Location SNMP on the list of services, then select it and click Stop.
    4. Select Startup, and click Disabled.
    5. Click OK to close the dialogue, then close the Computer Management window.
  • Windows XP:

    1. Right-click on My Computer and select Manage
    2. Click on Services and Applications, then on Services
    3. Location SNMP on the list of services, then select it and click Stop.
    4. Select Startup, and click Disabled.
    5. Click OK to close the dialogue, then close the Computer Management window.

I previously disabled the SNMP Service on Windows 2000 or Windows XP. How do I re-enable the SNMP service?
Just follow the steps for the system you're using only if the service was running before and you want it to run again.

  • Windows 2000:
    1. Right-click on My Computer and select Manage
    2. Click on Services and Applications, then on Services
    3. Locate SNMP on the list of services, then select it.
    4. Right-click and select Properties, select Startup, and click Automatic.
    5. Click OK to close the dialogue.
    6. Right-click and select Start.
    7. Close the Computer Management window.
  • Windows XP:
    1. Right-click on My Computer and select Manage
    2. Click on Services and Applications, then on Services
    3. Locate SNMP on the list of services, then select it.
    4. Right-click and select Properties, select Startup, and click Automatic.
    5. Click OK to close the dialogue.
    6. Right-click and select Start.
    7. Close the Computer Management window.

I haven't installed the SNMP service on my system. Am I at any risk?
No. You're only at risk if the SNMP service is running.

What does the patch do?
The patch eliminates the vulnerability by instituting proper input checking on the command parser in the SNMP agent service.

I downloaded the Windows NT 4.0 Terminal Server Edition patch for English or German prior to March 14, 2002, what should I do?
You should download the updated patches and use those to update your system.

I installed the earlier version of these patches on my system, what do I need to do?
Once you've downloaded the updated patch, you can apply that to your system. It will overwrite the previous version of the patch. There is no need to uninstall the previous version.

I've downloaded a Windows NT 4.0 Terminal Server Edition patch in a language other than English or German, do I need to do anything?
No. The problem only affects the patches in English and German. Patches in other languages do not suffer from this problem and do not need to be re-downloaded or re-applied.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

  • Microsoft Windows 98:

    The Windows 98 patch can be installed on systems running Windows 98 Gold.

  • Microsoft Windows 98SE:

    The Windows 98 patch can be installed on systems running Windows 98SE Gold.

  • Windows NT 4.0:

    The Windows NT 4.0 patch can be installed on systems running Service Pack 6a

  • The Windows NT 4.0 Terminal Server Edition patch can be installed on systems running Windows NT 4.0 TSE Service Pack 6.

  • Windows 2000:

    This patch can be installed on systems running Windows 2000 Service Pack 1 or Windows 2000 Service Pack 2

  • The patch for Windows XP can be installed on systems running Windows XP Gold.

Inclusion in future service packs:

  • The fix for this issue will be included in Windows 2000 Service Pack 3.
  • The fix for this issue will be included in Windows XP Service Pack 1.

Reboot needed: Yes

Superseded patches: None.

Verifying patch installation:

Windows 98/98SE:

  • To verify that the patch has been installed on the machine, select Start, then Run, then run the QFECheck utility. If the patch is installed, "Windows 98 Q314147 Update" will be listed among the installed patches.
  • To verify the individual files, use the file manifest provided in Knowledge Base article Q314147.

Windows NT 4.0:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\Q314147.
  • To verify the individual files, consult the file manifest in Knowledge Base article Q314147

Windows 2000:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q314147.
  • To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q314147\Filelist

Windows XP:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q314147.
  • To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q314147\Filelist.

Additional Platforms:

  • Patches are under development and will be available shortly.

Caveats:

None

Localization:

Localized versions of this patch are available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:

Support:

  • Microsoft Knowledge Base article Q314147 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (February 12, 2002): Bulletin Created.
  • V2.0 (February 15, 2002): Bulletin updated to include patch availability of patches for Windows 2000 and Windows XP.
  • V3.0 (March 5, 2002): Bulletin updated to include patch availablilty for Windows NT 4.0.
  • V4.0 (March 11, 2002): Bulletin updated to include patch availability for Windows NT 4.0 Terminal Server Edition.
  • V5.0 (March 13, 2002): Bulletin updated to advise customers that the Windows NT 4.0 Terminal Server Edition patches in English and German released on March 11, 2002 contained an error that has been corrected and to advise customers to download and apply the updated patches.
  • V6.0 (April 26, 2002): Bulletin updated to include patch availability for Windows 98 and Windows 98SE.
  • V6.1 (May 09, 2003): Updated download links to Windows Update.

Built at 2014-04-18T13:49:36Z-07:00