Export (0) Print
Expand All

Microsoft Security Bulletin MS99-004 - Critical

Patch Available for Authentication Processing Error in Windows NT 4.0 Service Pack 4

Published: February 08, 1999 | Updated: March 10, 2003

Version: 2.0

Patch Availability Information Updated: March 10, 2003
Originally Posted: February 8, 1999

Summary

Microsoft has released a patch that eliminates a logic error in Service Pack 4 for Windows NT 4.0 that could, under certain conditions, allow a user to log on interactively and connect to network shares using a blank password. The vulnerability primarily, but not exclusively, affects Windows NT servers that serve as domain controllers in environments with DOS, Windows 3.1, Windows for Workgroups, OS/2 or Macintosh clients. In general, customers who have deployed only Windows NT, Windows 95 and Windows 98 client workstations are not at risk from this vulnerability.

A fully supported patch is available for this vulnerability, and Microsoft recommends that all customers evaluate the risk to their systems and, as appropriate, download and install it on affected computers.

Issue

The Windows NT Security Account Manager (SAM) database stores the hashed password for each user account in two forms: an "NT hash" form that is used to authenticate users on Windows NT clients, and an "LM hash" form that is used to authenticate users on Windows 95, Windows 98, and downlevel clients such as DOS, Windows 3.1, Windows for Workgroups, OS/2 and Macintosh. When a user changes his password via a Windows NT, Windows 95 or Windows 98 client, both the "NT hash" and "LM hash" forms of the password are updated in the SAM. However, when the user changes his password via a downlevel client, only the "LM hash" form of the password is stored; a null value is stored in the "NT hash" field. This is normal operation.

When a user attempts an interactive logon or a network share connection from a Windows NT system, the Windows NT authentication process uses the "NT hash" form of the password. If the "NT hash" is null, the "LM hash" of the password is used for verification. (Windows 95, Windows 98 and downlevel clients always use only the "LM hash" for verification.) The logic error in Service Pack 4 incorrectly allows a null "NT hash" value to be used for authentication from Windows NT systems. The result is that if a user account's password was last changed from a DOS, Windows 3.1, Windows for Workgroups, OS/2 or Macintosh client, a user can logon into that account from a Windows NT system using a blank password.

By far the most likely machines to be affected by this vulnerability would be domain controllers running Windows NT 4.0 SP 4, in networks that contain any of the downlevel clients listed above. However, any server or workstation running Windows NT 4.0 SP 4 that contains a SAM database with active users who communicate from downlevel clients would be vulnerable to this problem. For example, a workgroup of Windows NT 4.0 SP 4 systems, one of which is accessed by Windows for Workgroups clients, would be affected by this vulnerability.

It is worth reiterating the following points:

  • Even on an affected network, a user whose most recent password change was performed via Windows NT, Windows 95 or Windows 98 workstations will have a non-null "NT hash" value, and hence will not be at risk.
  • Customers who are affected by the vulnerability need only apply the patch to machines that contain SAM databases with active user accounts.
  • There is no need for users to update or change their passwords after applying the patch. Even in vulnerable systems, the SAM database entries are valid; the problem lies in the way SP4 processes them. The patch corrects the authentication process logic in SP4 without changing the SAM database entries in any way.

Affected Software Versions

The following software versions are affected:

  • Microsoft Windows NT 4.0, Service Pack 4

Vulnerability Identifier: CVE-1999-0366

What Microsoft is Doing

On February 8th, Microsoft released a patch that fixes the problem identified above. This patch is available for download from the sites listed below.

Microsoft has sent this security bulletin to customers subscribing to the Microsoft Product Security Notification Service. See The Microsoft Product Security Notification Service for more information about this free customer service.

Microsoft has published the following Knowledge Base (KB) article on this issue:

Microsoft has posted the following hot fixes to address this problem.

What customers should do

The patch for this vulnerability is fully supported, and Microsoft recommends that all affected customers apply it. The URLs for the patch are provided above in What Microsoft is Doing.

More Information

Please see the following references for more information related to this issue.

Acknowledgments

Microsoft wishes to acknowledge Harry Johnston, School of Computing and Mathematical Sciences, University of Waikato, New Zealand, for discovering this vulnerability and reporting it to us.

Obtaining Support on this Issue

This is a supported patch. If you have problems installing this patch or require technical assistance with this patch, please contact Microsoft Technical Support. For information on contacting Microsoft Technical

Support, please see http://support.microsoft.com/contactussupport/?ws=support.

Revisions

  • February 8, 1999: Bulletin Created
  • V2.0 (March 10, 2003): Introduced versioning and updated patch availability information

For additional security-related information about Microsoft products, please visit http://www.microsoft.com/technet/security

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Built at 2014-04-18T13:49:36Z-07:00

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2015 Microsoft