Microsoft Security Bulletin MS00-050
Patch Available for 'Telnet Server Flooding' Vulnerability
Originally Posted: July 24, 2000
Microsoft has released a patch that eliminates a security vulnerability in the Telnet Server that ships as part of Microsoft® Windows 2000. The vulnerability could allow a malicious user to prevent an affected machine from providing Telnet services.
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
A remote denial of service vulnerability has been discovered in the Telnet Server that ships with Microsoft Windows 2000. The denial of service can occur when a malicious client sends a particular malformed string to the server.
Although the Telnet service is provided as part of Windows 2000 products, the service is not enabled by default, and customers who have not enabled it would not be at risk. Even in affected systems, the effect of the vulnerability is limited to Telnet itself - there is no capability to cause other services to fail, or to cause Windows 2000 to fail.
Telnet services could be restored after an attack by restarting the Telnet Server.
What's this bulletin about?
Microsoft Security Bulletin MS00-050 announces the availability of a patch that eliminates a vulnerability in the Telnet Server that ships with Microsoft® Windows 2000. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This is a Denial of Service vulnerability. A malicious user could use the vulnerability to cause the Telnet Server service on an affected machine to stop responding to client requests.
By default, Telnet is not enabled on Windows 2000, and only customers who have enabled it would be at risk from this vulnerability. The vulnerability could be used to deny Telnet services, but could not be used for any broader attack - that is, it could not be used to compromise data on an affected server, usurp administrative control, or affect other services.
Telnet services could be restored on an affected machine by restarting the Telnet service.
What causes the vulnerability?
A flaw in the Telnet Server that ships as part of Windows 2000 causes it to fail when provided with a particular malformed input string from a malicious client machine.
What is Telnet?
Telnet is a member of the TCP/IP family of protocols, and allows a user to establish a remote session on a server. The protocol supports only alphanumeric terminals - that is, it doesn't support mice and other pointing devices, nor does it support graphical user interfaces. Instead, all commands must be entered via the command line. For more information on the Telnet protocol, please see http://www.ietf.org/rfc/rfc0854.txt?number=854.
The Telnet protocol provides very little security - all data in a Telnet session, including passwords, is transmitted between client and server in plaintext. Because of this limitation, as well as the general recommendation against ever allowing untrusted users access to security-critical servers, Telnet services typically are provided only by servers that are intended to be publicly-accessible.
What's the problem with the Telnet Server in Windows 2000?
The Telnet Server service provided as part of Windows 2000 products does not correctly handle a particular kind of malformed input string sent to it from a client. If such data were received by an affected system, it would cause the Telnet service to fail.
What would be the effect of the Telnet service failing?
If the Telnet service failed, it would cause any existing Telnet sessions to fail, with the loss of any work that was in progress at the time. However, it would not affect any other services on the system, and wouldn't affect Windows 2000 itself. Normal operation could be restored by restarting the Telnet service.
Is Telnet running by default in Windows 2000?
The Telnet Server Service is not enabled by default on a standard Windows 2000 installation.
Who could exploit this vulnerability?
Any malicious user who could send data to an affected machine could exploit the vulnerability. If an affected machine were directly connected to the Internet, the vulnerability could be exploited by a malicious user; on the other hand, an affected machine that provided Telnet services only within an intranet could only be attacked by an intranet user.
Would a malicious user need a valid password on the affected machine to exploit the vulnerability?
No. A Telnet Server can be configured to require a userid and password, but the malicious user could send the invalid data at issue here whether he could successfully log onto the machine or not.
Who should use the patch?
Microsoft recommends that anyone who enables the Telnet Server service on their Windows 2000 systems should install the patch.
Will the patch be included in Service Pack 1 for Windows 2000?
No. This vulnerability was identified too late in the development cycle for Windows 2000 Service Pack 1. It will, however, be included in Windows 2000 Service Pack 2. In the meantime, customers can install the patch on a Windows 2000 system pre or post Service Pack 1 (once available). If the patch is installed prior to SP1 it will not be overwritten if you decide to apply the Service Pack 1 afterwards.
What does the patch do?
The patch eliminates the vulnerability by causing the Windows 2000 Telnet service to process the string at issue correctly.
How do I use the patch?
Knowledge Base article Q267843 contains detailed instructions for applying the patch to your site.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin .
How can I tell if I installed the patch correctly?
The Knowledge Base article Q267843 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.
What is Microsoft doing about this issue?
- Microsoft has delivered a patch that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article Q267843 article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
Download locations for this patch
- Microsoft Windows 2000 All Versions:
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
- Microsoft Knowledge Base (KB) article, Q267843 discusses this issue.
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/contactussupport/?ws=support .
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- July 24, 2000: Bulletin Created.
Built at 2014-04-02T23:59:26Z-07:00