Microsoft Security Bulletin MS14-042 - Moderate

Vulnerability in Microsoft Service Bus Could Allow Denial of Service (2972621)

Published: July 8, 2014 | Updated: October 14, 2014

Version: 2.0

General Information

Executive Summary

This security update resolves one publicly disclosed vulnerability in Microsoft Service Bus for Windows Server. The vulnerability could allow denial of service if a remote authenticated attacker creates and runs a program that sends a sequence of specially crafted Advanced Message Queuing Protocol (AMQP) messages to the target system. Microsoft Service Bus for Windows Server is not shipped with any Microsoft operating system. For an affected system to be vulnerable Microsoft Service Bus must first be downloaded, installed, and configured, and then its configuration details (farm certificate) shared with other users.

This security update is rated Moderate for Microsoft Service Bus 1.1 when installed on affected editions of Windows Server 2008 R2, Windows Server 2012, and Windows Server 2012 R2. For more information, see the Affected and Non-Affected Software section.

The security update addresses the vulnerability by modifying how Service Bus for Windows Server handles AMQP messages. For more information about the vulnerability, see the Frequently Asked Questions (FAQ) subsection for the specific vulnerability in this bulletin.

Recommendation. Most customers have automatic updating enabled and will not need to take any action because this security update will be downloaded and installed automatically. For information about specific configuration options in automatic updating, see Microsoft Knowledge Base Article 294871. For customers who do not have automatic updating enabled, the steps in Turn automatic updating on or off can be used to enable automatic updating.

For administrators and enterprise installations, or end users who want to install this security update manually (including customers who have not enabled automatic updating), Microsoft recommends that customers consider applying the security update using update management software, or by checking for updates using the Microsoft Update service. The updates are also available via the download links in the Affected Software table later in this bulletin.

For additional guidance, see the Detection and Deployment Tools and Guidance section in this bulletin.

Knowledge Base Article

  • Knowledge Base Article: 2972621
  • File Information: Yes
  • SHA1/SHA2 hashes: Yes
  • Known issues: Yes

 

Affected and Non-Affected Software

The following software has been tested to determine which versions or editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, see Microsoft Support Lifecycle.

Affected Software 

Product Maximum Security Impact Aggregate Severity Rating Updates Replaced
Microsoft Service Bus 1.1 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1\ (2972621) Denial of Service Moderate None
Microsoft Service Bus 1.1 when installed on Windows Server 2012\ (2972621) Denial of Service Moderate None
Microsoft Service Bus 1.1 when installed on Windows Server 2012 R2\ (2972621) Denial of Service Moderate None

 

Update FAQ

What product version of Microsoft Service Bus for Windows Server is affected by the vulnerability?
Microsoft Service Bus 1.1 is affected by the vulnerability if the product versions for the affected binaries present on the system match those listed under Vulnerable product version in the table below.

Affected binary Vulnerable product version Expected product version after applying the update
Microsoft.ServiceBus.dll 2.1.30904.0 2.1.40512.2
Microsoft.Cloud.ServiceBus.Client.dll 2.1.30904.0 2.1.40512.2
Microsoft.ServiceBus.Commands.dll 2.0.30904.0 2.0.40512.2
Microsoft.Cloud.ServiceBus.Messaging.dll 2.0.30904.0 2.0.40512.2

If the product versions for the affected binaries present on the system are greater than or equal to the entries in the second column, then Microsoft Service Bus 1.1 has been updated to address the vulnerability and is not affected.

How do I know which version of Microsoft Service Bus for Windows Server is currently installed on my system? 
If Microsoft Service Bus 1.1 is already installed on your computer, it will be listed in Add or Remove Programs. You can check the product version number for affected binaries (located in the C:\Program Files\Service Bus\1.1 directory) by viewing their file properties and noting the product version found on the Details tab. The affected binaries and vulnerable product versions are listed in the table above.

How do I manually update my version of Microsoft Service Bus for Windows Server? 
Customers who opt to install the update manually, rather than install the update via Microsoft Update, should first determine which version is installed on the system (Microsoft Service Bus 1.1 is supported on Windows Server 2008 R2 Service Pack 1, Windows Server 2012, and Windows Server 2012 R2 only). If Service Bus 1.1 is installed on the system, check the build version for one of the affected binaries as described in the preceding FAQs. If the product version present on the system is vulnerable, then download and install the 2972621 update via the Microsoft Download Center links provided in the Affected Software section of this bulletin.

Will this update upgrade my version of Microsoft Service Bus for Windows Server? 
No. The 2972621 update does not upgrade previous versions of Microsoft Service Bus to version 1.1. Microsoft recommends upgrading to be protected against the vulnerability described in this bulletin.

I am using an older release of the software discussed in this security bulletin. What should I do? 
The affected software listed in this bulletin has been tested to determine which releases are affected. Other releases are past their support life cycle. For more information about the product lifecycle, see the Microsoft Support Lifecycle website.

It should be a priority for customers who have older releases of the software to migrate to supported releases to prevent potential exposure to vulnerabilities. To determine the support lifecycle for your software release, see Select a Product for Lifecycle Information. For more information about service packs for these software releases, see Service Pack Lifecycle Support Policy.

Customers who require custom support for older software must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, see the Microsoft Worldwide Information website, select the country in the Contact Information list, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. For more information, see the Microsoft Support Lifecycle Policy FAQ.

Severity Ratings and Vulnerability Identifiers

The following severity ratings assume the potential maximum impact of the vulnerability. For information regarding the likelihood, within 30 days of this security bulletin's release, of the exploitability of the vulnerability in relation to its severity rating and security impact, please see the Exploitability Index in the July bulletin summary. For more information, see Microsoft Exploitability Index.

Vulnerability Severity Rating and Maximum Security Impact by Affected Software
Affected Software Service Bus Denial of Service Vulnerability - CVE-2014-2814 Aggregate Severity Rating
Microsoft Service Bus 1.1 when installed on Windows Server 2008 R2 for x64-based Systems Service Pack 1 (2972621) Moderate  Denial of Service Moderate
Microsoft Service Bus 1.1 when installed on Windows Server 2012 (2972621) Moderate  Denial of Service Moderate
Microsoft Service Bus 1.1 when installed on Windows Server 2012 R2 (2972621) Moderate  Denial of Service Moderate

 

Service Bus Denial of Service Vulnerability - CVE-2014-2814

A denial of service vulnerability exists in Microsoft Service Bus for Windows Server. An authenticated attacker who successfully exploited the vulnerability could cause the Service Bus to stop responding for incoming AMQP messages.

To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2014-2814.

Mitigating Factors

Mitigation refers to a setting, common configuration, or general best-practice, existing in a default state, that could reduce the severity of exploitation of a vulnerability. The following mitigating factors may be helpful in your situation:

  • Microsoft Service Bus for Windows Server is not shipped with any Microsoft operating system. For an affected system to be vulnerable Microsoft Service Bus must first be downloaded, installed, and configured, and then its configuration details (farm certificate) shared with other users.

Workarounds

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but would help block known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the discussion whether a workaround reduces functionality:

Disable AMQP

If you do not need AMQP protocol functionality and connectivity, you can disable AMQP usage. To disable AMQP, follow these steps:

  1. Open the GatewayComponents.config file located in the c:\Program Files\Service Bus\1.1\ directory. (Save a back-up of this file to restore later should you want to undo this workaround.)

  2. Remove all references to the "AmqpProtocolHead" component and save the file.

  3. In order for the change to take effect, execute the following Service Bus PowerShell cmdlets:

     stop-sbhost
    

    followed by

     start-sbhost
    

    Note If more than one node exists in the configured service bus farm, then the preceding steps must be undertaken on each node in the farm.

Impact of workaround. No AMQP connections will be accepted.

How to undo the workaround.

To undo the workaround, follow these steps:

  1. Restore your backup of the GatewayComponents.config file to the c:\Program Files\Service Bus\1.1\ directory.

  2. In order for the change to take effect, execute the following Service Bus PowerShell cmdlets:

     stop-sbhost
    

    followed by

     start-sbhost 
    

    Note If more than one node exists in the configured service bus farm, then the preceding steps must be undertaken on each node in the farm.

FAQ

What is the scope of the vulnerability?
This is a denial of service vulnerability.

What causes the vulnerability?
The vulnerability is caused when Microsoft Service Bus improperly handles specially crafted AMQP messages.

What is the Advanced Message Queuing Protocol (AMQP)?
Advanced Message Queuing Protocol (AMQP) is an efficient, reliable messaging protocol that you can use to build robust, cross-platform messaging applications. For more information about Microsoft Service Bus for Windows Server, Service Bus AMQP: Developer’s Guide.

What is Microsoft Service Bus for Windows Server?
Microsoft Service Bus for Windows Server is an installable component that provides messaging capabilities in Windows. It enables customers to build, test, and run message-driven applications in self-managed environments. For more information about Microsoft Service Bus for Windows Server, please see Service Bus for Windows Server (Service Bus 1.1).

What might an attacker use the vulnerability to do?
An attacker who successfully exploited the vulnerability could cause Microsoft Service Bus to stop responding to incoming messages.

How could an attacker exploit the vulnerability?
A remote authenticated attacker could exploit this vulnerability by creating and running a program that sends a sequence of specially crafted AMQP messages to the target system.

What systems are primarily at risk from the vulnerability?
Windows Servers with Microsoft Service Bus for Windows Server installed are at most risk from this vulnerability.

What does the update do?
The update addresses the vulnerability by modifying how Microsoft Service Bus for Windows Server handles AMQP messages.

When this security bulletin was issued, had this vulnerability been publicly disclosed?
Yes. This vulnerability has been publicly disclosed. It has been assigned Common Vulnerability and Exposure number CVE-2014-2814.

When this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?
No. Microsoft is not aware of attacks that attempt to exploit this vulnerability.

Detection and Deployment Tools and Guidance

Several resources are available to help administrators deploy security updates. 

  • Microsoft Baseline Security Analyzer (MBSA) lets administrators scan local and remote systems for missing security updates and common security misconfigurations. 
  • Windows Server Update Services (WSUS), Systems Management Server (SMS), and System Center Configuration Manager help administrators distribute security updates. 
  • The Update Compatibility Evaluator components included with Application Compatibility Toolkit aid in streamlining the testing and validation of Windows updates against installed applications. 

For information about these and other tools that are available, see Security Tools for IT Pros

Security Update Deployment

Microsoft Service Bus for Windows Server

Reference Table

The following table contains the security update information for this software.

Security update file name For Microsoft Service Bus for Windows Server when installed on all supported editions of Windows Server 2008 R2, Windows Server 2012, or Windows Server 2012 R2:\ ServiceBusServer-KB2972621-x64-EN.exe
Installation switches See Microsoft Knowledge Base Article 934307
Restart requirement This update does not require a restart. The installer stops the required services, applies the update, and then restarts the services. However, if the required services cannot be stopped for any reason, or if required files are being used, this update will require a restart. If this behavior occurs, a message appears that advises you to restart.
Removal information In Control Panel, open Programs and Features, locate Security Update for Service Bus 1.1 (KB2972621) in the list of installed updates, right-click it, and then click Uninstall.\ \ See Microsoft Knowledge Base Article 2972621 for instructions on how to uninstall the security update using a command line.
File information See Microsoft Knowledge Base Article 2972621
Registry key verification HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Updates\Service Bus 1.1\KB2972621

 

Other Information

Microsoft Active Protections Program (MAPP)

To improve security protections for customers, Microsoft provides vulnerability information to major security software providers in advance of each monthly security update release. Security software providers can then use this vulnerability information to provide updated protections to customers via their security software or devices, such as antivirus, network-based intrusion detection systems, or host-based intrusion prevention systems. To determine whether active protections are available from security software providers, please go to the active protections websites provided by program partners, listed in Microsoft Active Protections Program (MAPP) Partners.

Support

How to obtain help and support for this security update

Disclaimer

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions

  • V1.0 (July 8, 2014): Bulletin published.
  • V2.0 (October 14, 2014): Bulletin rereleased to announce the offering of the security update via Microsoft Update, in addition to the Download-Center-only option that was provided when this bulletin was originally released. Customers who have already successfully updated their systems do not need to take any action.

Page generated 2014-10-01 10:14Z-07:00.