Security Bulletin
Microsoft Security Bulletin MS00-096 - Critical
Tool Available for 'SNMP Parameters' Vulnerability
Published: December 06, 2000
Version: 1.0
Originally posted: December 06, 2000
Summary
Microsoft has released a tool that corrects the permissions on several registry values in Microsoft® Windows® 2000. The default permissions could allow a malicious user to monitor or reconfigure certain devices on a network.
Affected Software:
- Microsoft Windows 2000 Professional
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
General Information
Technical details
Technical description:
This vulnerability is virtually identical to the "SNMP Parameters" vulnerability affecting Windows NT® 4.0 systems and discussed in Microsoft Security Bulletin MS00-095. The "SNMP Parameters" key, HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters, provides the SNMP community name and SNMP management station identifiers, if they exist. SNMP community strings may allow either read or read-write access to the SNMP service. If no read-write access strings exist, the user could only use this vulnerability to read information through SNMP that is normally available to local users. If read-write access strings do exist, a malicious user could use this vulnerability to make changes to any system using the same community string for read-write access. It is important to remember that SNMP v1.0 has no security by design, and any user who could monitor network traffic could also obtain the SNMP community strings. SNMP is not installed on Windows NT 4.0 machines by default.
It should be noted that the information revealed by this vulnerability is normally transmitted in plaintext across SNMP-managed networks. As a result, even in the absence of incorrect registry permissions, a malicious user could carry out the same attack if she could monitor network communications. SNMP is not installed on Windows 2000 machines by default.
Frequently asked questions
What's this bulletin about?
Microsoft Security Bulletin MS00-096 announces the availability of a Security Configuration template that eliminates a security vulnerability affecting Microsoft® Windows® 2000. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.
What's the scope of the vulnerability?
This vulnerability is, for all practical purposes, the same as the "SNMP Parameters" vulnerability discussed in Microsoft Security Bulletin MS00-095. Like that vulnerability, this one could enable a malicious user to manage or configure devices on the network. The specific privileges she could gain would vary widely from network to network, and would depend on the extent to which Simple Network Management Protocol (SNMP) is used on it. In the worst case, though, the vulnerability could enable her to misconfigure routers and firewalls, change content on web servers and database servers, stop or start services on a machine, and so forth.
SNMP is, by design, not a secure protocol. Even in the absence of inappropriate registry permissions, a malicious user could still monitor the network and obtain all the information needed to manage SNMP devices on the network. SNMP is not installed on Windows 2000 systems by default.
If this vulnerability is the same as one of those discussed in MS00-095, why have you issued a separate bulletin?
Although there is much common ground between this bulletin and MS00-095, we felt that it would be more clear if we wrote separate bulletins - MS00-095 discussing Windows NT® 4.0 vulnerabilities and this bulletin discussing Windows 2000. Here's why we concluded that treating them in the same bulletin would have been confusing:
- Of the three vulnerabilities discussed in MS00-095, only one - the "SNMP Parameters" vulnerability - also affects Windows 2000.
- In addition to correcting the three vulnerabilities discussed in MS00-095, the tool provided there also corrects a number of other incorrect registry permissions that were discussed in previous bulletins. However, none of those other keys require modification on Windows 2000 systems.
- The fix provided in MS00-095 for Windows NT 4.0 systems is a command-line tool, where the fix for Windows 2000 systems is a template for the Security Configuration and Analysis Tool. As a result, the instructions for using the respective fixes are completely different.
What causes the vulnerability?
The cause of the vulnerability is exactly the same as discussed in MS00-095. The permissions on the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters are incorrect, and could allow an unprivileged user to read or change them.
What would this allow a malicious user to do?
The effect of the vulnerability is likewise exactly the same as discussed in MS00-095. A malicious user could use this vulnerability to learn information about already-existing communities that her machine was a member of, and pose as a legitimate SNMP manager in order to monitor or reconfigure devices in the community.
Is there anything different between this vulnerability and its Windows NT 4.0 counterpart?
Yes. Under default conditions, this vulnerability could not be exploited remotely on Windows 2000 systems. We noted in MS00-095 that Windows NT 4.0 workstations' default settings allow remote access to the registry. However, all Windows 2000 systems - including workstations - disallow remote access to the registry by default.
Is there anything different about how the fix discussed below works, as compared to the Windows NT 4.0 fix?
Yes. If you apply the template, and then install SNMP later, the right permissions will be retained on the registry keys. In contrast, the Windows NT 4.0 discussed in MS00-095 would need to be re-applied if the administrator installed SNMP.
What does the patch do?
The patch contains a template for use in the Security Configuration and Analysis tool, that resets the registry permissions to the appropriate values.
Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.
What permissions are set by the template?
The template sets the following permissions on the following keys and their subkeys:
| Hive | Key | Permission |
|---|---|---|
| HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet | Services\SNMP\Parameters\ PermittedManagers | Administrators, System,\ Creator Owner: Full |
| HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet | Services\SNMP\Parameters\ ValidCommunities | Administrators, System,\ Creator Owner: Full |
What is Microsoft doing about this issue?
- Microsoft has delivered a Security Configuration and Analysis template that eliminates the vulnerability.
- Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the procedure to eliminate it.
- Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
- Microsoft has issued a Knowledge Base article explaining the vulnerability and procedure in more detail.
Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.
How do I get technical support on this issue?
Microsoft Product Support Services can provide assistance with this or any other product support issue.
Patch availability
Download locations for this patch
-
Note: The Security Configuration and Analysis template provided in the patch can be applied to any Windows 2000 system.
Additional information about this patch
Installation platforms: Please see the following references for more information related to this issue.
Microsoft Security Bulletin MS00-095, Microsoft Security Bulletin https://www.microsoft.com/technet/security/bulletin/MS00-095.mspx.
Microsoft Knowledge Base (KB) article Q266794,
Other information:
Acknowledgments
Microsoft thanks Chris Anley of @stake (https://www.atstake.com) for reporting this issue to us and working with us to protect customers
Support: This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at </https:>https:.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- December 06, 2000: Bulletin Created.
Built at 2014-04-18T13:49:36Z-07:00 </https:>