Microsoft Security Bulletin MS02-036 - Moderate
Authentication Flaw in Microsoft Metadirectory Services Could Allow Privilege Elevation (Q317138)
Published: July 24, 2002
Originally posted: July 24, 2002
Who should read this bulletin:
System administrators running Microsoft® Metadirectory Services 2.2
Impact of vulnerability:
Elevation of privilege.
Maximum Severity Rating:
MMS administrators should apply the patch immediately.
- Microsoft Metadirectory Services 2.2
Microsoft Metadirectory Services (MMS) is a centralized metadirectory service that provides connectivity, management, and interoperability functions to help unify fragmented directory and database environments. It enables enterprises to link together disparate data repositories such as Exchange directory, Active Directory, third-party directory services, and proprietary databases, for the purpose of ensuring that the data in each is consistent, accurate, and can be centrally managed
A flaw exists that could enable an unprivileged user to access and manipulate data within MMS that should, by design, only be accessible to MMS administrators. Specifically, it is possible for an unprivileged user to connect to the MMS data repository via an LDAP client in such a way as to bypass certain security checks. This could enable an attacker to modify data within the MMS data repository, either for the purpose of changing the MMS configuration or replicating bogus data to the other data repositories.
- If normal security practices have been followed, the vulnerability could not be exploited from the Internet.
- The vulnerability could only be exploited by an attacker who had significant technical expertise at a protocol level. The vulnerability does not provide access to MMS itself, but rather to the MMS data repository. Determining what data to change - and how to change it - in order to cause a desired effect could be quite difficult
- A successful attack would require a detailed understanding of the specific way MMS had been configured, as well as information about all of the other directories and database it was being used to manage. It is likely that the vulnerability could only be exploited by an attacker who had insider knowledge about the enterprise.
|Internet Servers||Intranet Servers||Client Systems|
The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. For an attack to succeed, the attacker would need to have specific knowledge about the particular MMS configuration and have an advanced knowledge of MMS.
Vulnerability identifier: CVE-CAN-2002-0697
Microsoft tested MMS 2.2 and MMS 2.2 Service Pack 1 to assess whether they are affected by these vulnerabilities. The previous version, MMS 2.1, is no longer supported and may or may not be affected by this vulnerability.
What's the scope of the vulnerability?
This is a privilege elevation vulnerability. An attacker who successfully exploited this vulnerability could, under a very daunting set of circumstances, gain the ability to modify business-critical data that could then be replicated to data repositories throughout an enterprise.
The vulnerability would likely be quite difficult to exploit. It would require great technical sophistication on the part of the attacker, as the vulnerability provides only access to low-level data structures. In addition, the attacker would almost certainly need insider knowledge of how various databases and directories throughout the enterprise were configured and used.
What causes the vulnerability?
The vulnerability results because MMS logon credentials are not correctly verified when an LDAP client accesses MMS under certain circumstances.
What is MMS?
Microsoft Metadirectory Services is a metadirectory service - that is, a directory that's used to manage other directories and data sources. In many companies, business-critical data is held in a variety of data sources. For instance, a company might have users' email information stored within the Exchange directory, account information stored within Active Directory, and personnel information stored within a custom database. MMS provides a way to link all of those data sources together, manage them centrally, and ensure that the data in them is always synchronized.
How widely is MMS used?
MMS is not a commonly deployed system. It typically is deployed only within enterprises that have a large number of heterogeneous data sources that require integration and centralized management.
What's wrong with MMS?
The problem lies in the way MMS regulates access to its data repository. All connections to the repository should be checked to ensure that the person making the connection has the proper credentials to perform the actions they're performing. However, it's possible to connect to the repository in an unusual way that has the effect of bypassing the check.
What's the MMS data repository?
MMS needs to store two different types of data locally. First, it needs to store configuration information for MMS itself, such as administrator userids and passwords. Second, depending upon the specific deployment scenario, it may need to store data that isn't found in any of the other directories or databases - that is, MMS may need to act as a directory in its own right, and ensure that the data in that directory is kept consistent with the data in the other directories and databases.
What could this vulnerability enable an attacker to do?
The vulnerability could enable an attacker to modify data in the MMS data repository. A successful attack could allow the attacker to, for instance, reset the MMS administrator password and then subsequently log directly onto MMS as an administrator. It also could enable the attacker to create data that would be replicated to the other data sources.
However, exploiting the vulnerability would be quite difficult. Because the vulnerability provides access to the underlying data structures rather than MMS itself, the attacker would need to possess a great deal of technical knowledge about how MMS works at a protocol level. In addition, the specific layout of the data repository is unique for every deployment, so the attacker would need insider knowledge about the particular MMS deployment.
Who could exploit the vulnerability?
The vulnerability could be exploited by an attacker who could create a connection to the MMS system, and had both a detailed understanding of how to manipulate the MMS data repository at a protocol level and significant information about the specific MMS deployment.
Could the vulnerability be exploited via the Internet?
If normal firewalling precautions had been observed (specifically, if port 389 were blocked), users on the Internet would not be able to create a connection, and thus could not exploit the vulnerability.
What does the patch do?
The patch eliminates the vulnerability by instituting proper credential checking against accesses made to the MMS data repository.
Download locations for this patch
- Microsoft Metadirectory Services 2.2 Service Pack 1: http://download.microsoft.com/download/mms22/Patch/Q317138/NT5/EN-US/Q317138.EXE
Additional information about this patch
This patch can be installed on systems running Microsoft Metadirectory Services 2.2 Service Pack 1.
Inclusion in future service packs:
The fix for this issue will be included in the next version of MMS.
Reboot needed: Yes
Superseded patches: None
Verifying patch installation:
To verify the patch has been installed, do the following:
- When the MMS service is running, an icon appears in the system tray -- double click this icon.
- On the open MMS Server window select "Help", then "About MMS Server" from the toolbar.
- The About MMS server window will have the version number. If the patch has been applied, the version will be "MMS Server Version 2.2 SP1, Build 2.2(1300.28)" or higher.
Microsoft Metadirectory Services is English only, so localized patches are not required.
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Microsoft Knowledge Base article Q317138 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
V1.0 (July 24, 2002): Bulletin Created.
Built at 2014-04-18T13:49:36Z-07:00