Microsoft Security Advisory 921923
Proof of Concept Code Published Affecting the Remote Access Connection Manager Service
Published: June 23, 2006
Microsoft is aware that detailed exploit code has been published on the Internet for the vulnerability that is addressed by Microsoft security bulletin MS06-025. Microsoft is not currently aware of active attacks that use this exploit code or of customer impact at this time. However, Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary.
Our investigation of this exploit code has verified that it does not affect customers who have installed the updates detailed in MS06-025 on their computers. Microsoft continues to recommend that customers apply the updates to the affected products by enabling the Automatic Updates feature in Windows.
Microsoft is disappointed that certain security researchers have breached the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code, potentially harming computer users. We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so they do not aid criminals in their attempt to take advantage of software vulnerabilities
- Customers who have installed the MS06-025 security update are not affected by this vulnerability.
- Windows 2000 systems are primarily at risk from this vulnerability. Customers running Windows 2000 should deploy MS06-025 as soon as possible or disable the RASMAN service.
- On Windows XP Service Pack 2, Windows Server 2003 and Windows Server 2003 Service Pack 1 the attacker would need to have valid logon credentials in order to exploit the vulnerability.
- This issue does not affect Windows 98, Windows 98 SE, or Windows Millennium Edition.
Purpose of Advisory: Notification of the availability of a security update to help protect against this potential threat.
Advisory Status: As this issue is already addressed as part of the MS06-025 security bulletin, no additional update is required.
Recommendation: Install MS06-025 security update to help protect against this vulnerability.
This advisory discusses the following software.
|Microsoft Windows 2000 Service Pack 4|
|Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2|
|Microsoft Windows XP Professional x64 Edition|
|Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service Pack 1|
|Microsoft Windows Server 2003 for Itanium-based Systems and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems|
|Microsoft Windows Server 2003 x64 Edition|
What is the scope of the advisory?
Microsoft is aware of public posting of exploit code targeting vulnerabilities identified in Microsoft Security Update MS06-025. This affects the software that is listed in the “Overview” section
Is this a security vulnerability that requires Microsoft to issue a security update?
No. Customers who have installed the MS06-025 security update are not affected by this vulnerability. No additional update is required.
What causes this threat?
An unchecked buffer in Routing and Remote Access technologies specifically affecting the Remote Access Connection Manager Service (RASMAN)
What does the feature do?
The Remote Access Connection Manager is a service that handles the details of establishing the connection to the remote server. This service also provides the client with status information during the connection operation. The Remote Access Connection Manager starts automatically when an application loads the RASAPI32.DLL
What might an attacker use this function to do?
An attacker who successfully exploited this vulnerability could take complete control of the affected system.
Are there any known issues with installing Microsoft Security Update MS06-025 that protects against this threat?
Microsoft Knowledge Base Article 911280documents the currently known issues that customers may experience when they install the security update. Only customers who use dial-up connections that use scripts that configure their device for parity, stop bits or data bits or a post-connect terminal window or dial-up scripting, are affected by the issues identified in the KB article. If customers do not use any of the dial-up scenarios identified they are encouraged to install the update immediately..
If you have installed the update released with Security Bulletin MS06-025, you are already protected from the attack identified in the publicly posted proof of concept code. If you have not installed the update or are affected by any of the scenarios identified in Microsoft Knowledge Base Article 911280 customers are in encourage to disable the Remote Access Connection Manager Service.
Disable the Remote Access Connection Manager service
Disabling the Remote Access Connection Manager service will help protect the affected system from attempts to exploit this vulnerability. To disable the Remote Access Connection Manager (RASMAN) service, follow these steps:
- Click Start, and then click Control Panel. Alternatively, point to Settings, and then click Control Panel.
- Double-click Administrative Tools.
- Double-click Services.
- Double-click Remote Access Connection Manager
- In the Startup type list, click Disabled.
- Click Stop, and then click OK.
You can also stop and disable the Remote Access Connection Manager (RASMAN) service by using the following command at the command prompt:
sc stop rasman & sc config rasman start= disabled
Impact of Workaround: If you disable the Remote Access Connection Manager service, you cannot offer routing services to other hosts in local area and wide area network environments. Therefore, we recommend this workaround only on systems that do not require the use of RASMAN for remote access and routing.
Block the following at the firewall:
- UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
- All unsolicited inbound traffic on ports greater than 1024
- Any other specifically configured RPC port
These ports are used to initiate a connection with RPC. Blocking them at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically configured RPC port on the remote system. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about ports that RPC uses, visit the following Web site.
To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the
Internet Connection Firewall
, which is included with Windows XP and with Windows Server 2003.
By default, the Internet Connection Firewall feature in Windows XP and in Windows Server 2003 helps protect your Internet connection by blocking unsolicited incoming traffic. We recommend that you block all unsolicited incoming communication from the Internet. In Windows XP Service Pack 2 this features is called the Windows Firewall.
To enable the Internet Connection Firewall feature by using the Network Setup Wizard, follow these steps:
- Click Start, and then click Control Panel.
- In the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your system is connected directly to the Internet.
To configure Internet Connection Firewall manually for a connection, follow these steps:
- Click Start, and then click Control Panel.
- In the default Category View, click Networking and Internet Connections, and then click Network Connections.
- Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.
- Click the Advanced tab.
- Click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK.
Note If you want to enable certain programs and services to communicate through the firewall, click Settings on the Advanced tab, and then select the programs, the protocols, and the services that are required.
- Customers who believe they have been attacked should contact their local FBI office or post their complaint on theInternet Fraud Complaint Center Web site. Customers outside the U.S. should contact the national law enforcement agency in their country.
- Customers in theU.S. and Canada who believe they may have been affected by this possible vulnerability can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support that is associated with security update issues or viruses." International customers can receive support by using any of the methods that are listed at Security Help and Support for Home Users Web site.
All customers should apply the most recent security updates released by Microsoft to help ensure that their systems are protected from attempted exploitation. Customers who have enabled Automatic Updates will automatically receive all Windows updates. For more information about security updates, visit the Microsoft Security Web site.
- For more information about staying safe on the Internet, customers can visit theMicrosoft Security Home Page.
Keep Windows Updated
All Windows users should apply the latest Microsoft security updates to help make sure that their computers are as protected as possible. If you are not sure whether your software is up to date, visit the Windows Update Web site, scan your computer for available updates, and install any high-priority updates that are offered to you. If you have Automatic Updates enabled, the updates are delivered to you when they are released, but you have to make sure you install them.
- You can provide feedback by completing the form by visiting the following Web site.
- Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
- The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- June 23, 2006 Advisory published
Built at 2014-04-18T13:49:36Z-07:00