Microsoft Security Bulletin MS01-003 - Critical
Weak Permissions on Winsock Mutex Can Allow Service Failure
Published: January 24, 2001 | Updated: July 10, 2003
Originally posted: January 24, 2001
Updated: July 10, 2003
Who should read this bulletin:
System Administrators using Microsoft® Windows NT® 4.0 Servers and Terminal Servers.
Impact of vulnerability:
Denial of Service
Consider installing this patch on all Windows NT 4.0 terminal servers, and on any Windows NT 4.0 servers on which unprivileged users are granted interactive logon rights.
- Microsoft Windows NT 4.0
- Microsoft Windows NT 4.0, Terminal Server Edition
Like all other objects under Windows NT 4.0, mutexes - synchronization objects that govern access to resources - have permissions associated with them, that govern how they can be accessed. However, a particular mutex used to govern access to a networking resource has inappropriately loose permissions. This could enable an attacker who had the ability to run code on a local machine to monopolize the mutex, thereby preventing any other processes from using the resource that it controlled. This would have the effect of preventing the machine from participating in the network.
The attacker would require interactive logon access to the affected machine. This significantly limits the scope of the vulnerability because, if normal security recommendations have been followed, unprivileged users will not be granted interactive logon rights to critical machines like servers. Unprivileged users typically are granted interactive logon rights to workstations and terminal servers. However, a workstation would not be a tempting target for an attacker, because he could only use this vulnerability to deny service to himself. The machines most likely to be affected would be Terminal Servers.
- Attacker would need to have interactive logon rights in order to exploit a server. However, best practices recommend against granting this permission on security-critical servers.
Vulnerability identifier: CAN-2001-0006
Microsoft tested Windows 2000 and Windows NT 4.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.
What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker who could log onto a machine interactively could use this vulnerability to make it stop responding to network traffic. This would not cause the machine to fail, but it would prevent it from communicating with other machines.
Security best practices strongly recommend against ever allowing unprivileged users to interactively log onto critical servers like domain controllers, print and file servers, ERP servers, database servers, and so forth. If these recommendations have been followed, this vulnerability would pose a risk only to workstations and terminal servers.
What causes the vulnerability?
The vulnerability results because a networking mutex has inappropriate permissions. An attacker could write a program that could gain control of the mutex and deny access to it. This would prevent any other processes from being able to perform networking operations, essentially isolating the machine from the network.
What is a mutex?
A mutex is a synchronization object used to prevent more than one process from accessing certain resources at the same time. Multiprocessing operating systems like Windows NT 4.0 allow multiple programs to run at the same time. However, even so, there are certain resources that can only be used by one program at a time. Mutexes are used to help control access to resources like these.
What's the problem with mutexes in Windows NT 4.0?
There's no problem with mutexes in general. However, mutexes, like all objects in Windows NT 4.0, have permissions that regulate how and by whom they can be accessed. The mutex involved in this vulnerability has inappropriate permissions. By design, this mutex should only be accessible by programs with administrator or system privileges; however, in reality, everyone can access it. As a result, an attacker could write a program that waits its turn for the mutex and change its permissions allowing no access. If this happened, no other program could use the resource.
What's the resource that the mutex governs?
The particular mutex in this case regulates access to a networking resource. By denying access to the mutex, the attacker's program could prevent any other programs from using the networking functions in Windows NT 4.0.
What would be the result?
The machine would stop communicating with other machines on the network, because no other programs would be able to use the networking resources. The operator would need to reboot the machine to restore normal operation.
Could this vulnerability be exploited remotely?
No. The attacker's program would need to run locally on the machine. This means that the attacker would need the ability to log onto the machine interactively and start his program. This is an important point, because, if normal security restrictions are observed, unprivileged users will not be able to log onto critical machines such as servers, and would as a result be unable to attack them.
What machines are at greatest risk from this vulnerability?
Typically, unprivileged users are only allowed to log onto workstations and terminal servers interactively. It would do little good for an attacker to attack a workstation via this vulnerability, because he would only succeed in denying service to himself. However, if he attacked a terminal server via this vulnerability, he could render the server useless until it was rebooted.
What does the patch do?
The patch eliminates the vulnerability by correcting the permissions on the affected mutex.
Download locations for this patch
- Windows NT 4.0:
- Windows NT 4.0, Terminal Server Edition:
Additional information about this patch
This patch can be installed on systems running Windows NT 4.0 Server Service Pack 6a or Windows NT 4.0 Server, Terminal Server Edition, Service Pack 6.
Inclusion in future service packs:
The fix for this issue will be included in Service Pack 7 for both Windows NT 4.0 and Windows NT 4.0 Terminal Server Edition.
Verifying patch installation:
To verify that the patch has been installed, verify that the files listed in the patch manifest in Knowledge Base article Q279336 have been installed on the machine.
Localized versions of this patch are under development. When completed, they will be available at the locations discussed in "Obtaining other security patches".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Microsoft Knowledge Base article Q279336 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (January 24, 2001): Bulletin Created.
- V1.1 (July 10, 2003): Corrected links to Windows Update in Additional Information.
Built at 2014-04-18T13:49:36Z-07:00