Security Bulletin

Microsoft Security Bulletin MS01-039 - Critical

Services for Unix 2.0 Telnet and NFS Services Contain Memory Leaks

Published: July 23, 2001 | Updated: June 13, 2003

Version: 1.1

Originally posted: July 23, 2001
Updated: June 13, 2003

Summary

Who should read this bulletin:
System administrators using Microsoft® Services for Unix 2.0.

Impact of vulnerability:
Denial of service

Recommendation:
System administrators using the NFS or Telnet services provided in Services for Unix should install the patch.

Affected Software:

  • Microsoft Services for Unix 2.0

General Information

Technical details

Technical description:

Among the components provided by Services for Unix (SFU) 2.0 are services that implement the NFS (Network File System) and Telnet protocols. Both services contain memory leaks that could be triggered by a user request. An attacker who repeatedly sent such a request could deplete the kernel memory on the server to the point where performance slowed and the system could potentially fail.

Mitigating factors:

  • Only the implementations provided in SFU 2.0 are affected. In particular, the Telnet services provided in Windows NT® 4.0 and Windows® 2000 are not affected by the vulnerability.
  • There is no capability via the vulnerability to usurp any administrative control over the server or compromise any data on it.

Vulnerability identifier: CAN-2001-0505

Tested Versions:

Microsoft tested Services for Unix 1.0 and 2.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Frequently asked questions

How are the vulnerabilities discussed in this bulletin related to each other?
The vulnerabilities are only related in the sense that both affect services that are included in Services for Unix 2.0. We've packaged them together to make it more convenient for find and apply them.

What is Services for Unix?
Services for Unix (SFU) is a set of components that can be installed on Windows NT 4.0 or Windows 2000 and make it easy for customers to integrate Windows into their existing Unix environments. It provides Windows-based implementations of common Unix tools and services, as well as providing tools that enable administrators to more easily manage heterogeneous networks.

What are the vulnerabilities?
There are two vulnerabilities:

  • A vulnerability that could enable an attacker to cause the NFS service in SFU 2.0 to fail.
  • A vulnerability that could enable an attacker to cause the Telnet service in SFU 2.0 to fail.

What's the scope of the first vulnerability?
The is a denial of service vulnerability. An attacker who successfully exploited it could prevent an affected system from providing file-sharing services, and potentially cause the system itself to fail and require rebooting. It would not provide any means of usurping control over the system, nor would it enable the attacker to compromise any of the files on the server.

What causes the vulnerability?
The vulnerability results because the NFS service in SFU 2.0 contains a memory leak. If a particular type of malformed were repeatedly sent to an affected server, it could exhaust the memory on the server, potentially causing the system to fail.

What is NFS?
Network File System (NFS) is an industry standard protocol, defined in RFC 1094, that provides transparent, remote access to shared files across networks. For instance, suppose that machines A, B and C all contained data that was intended to be shared with all of the users on a network. Using NFS, users wouldn't need to know where the particular data resided in order to navigate and use it. Instead, NFS would make it appear that all of the data resided on a single, fictitious machine.

What's wrong with NFS service in SFU 2.0?
The NFS implementation in SFU 2.0 contains a memory leak that can be triggered by a particular type of request to the service.

What's a memory leak?
A memory leak is a condition that occurs when a program doesn't properly return memory to the operating system after it's done using it. One of the chief purposes of an operating system is to broker resources like memory among competing programs. When a program needs memory to carry out an operation, the operating system provides it; when the program no longer needs it, it should release the memory so the operating system can allocate it to another program. A memory leak occurs when a programming flaw prevents the program from returning the memory when it's done using it. Rather than being made available to the operating system again, the memory remains allocated to the other program even though it's no longer using it. If the leak occurs enough times, it can deplete the pool of available memory on the server to the point where the server becomes unresponsive or fails altogether.

What would this vulnerability enable an attacker to do?
An attacker could exploit this vulnerability as a means of preventing the system from providing useful service to other users. Not only would the memory leak prevent the NFS service from operating, it would slow the overall performance of the system and could potentially cause it to fail altogether.

What would be required in order to resume normal service?
The administrator would need to reboot the machine in order to free the memory and resume normal operation.

Would the vulnerability allow the attacker to take any more serious action?
No. Even though the vulnerability involves the NFS service, it wouldn't put any of the data in the file system at risk. The attacker could not use the vulnerability to compromise any of the data, nor to gain any privileges on the system.

Does the vulnerability affect any versions of SFU other than SFU 2.0?
No. It only affects the NFS service in SFU 2.0

How does the patch eliminate the vulnerability?
The patch causes the NFS service in SFU 2.0 to correctly release all memory when it's finished using it.

What's the scope of the second vulnerability?
The is a denial of service vulnerability. The scope of this vulnerability is similar to that of the vulnerability discussed above:

  • An attacker who successfully exploited it would be able to disrupt normal service on the system, including potentially causing it to fail.
  • The vulnerability would not provide the attacker with the ability to usurp any kind of administrative control over the system.
  • An affected system could be put back into service by rebooting.

What causes the vulnerability?
The vulnerability results because the Telnet service in SFU 2.0 contains a memory leak that could be used to slow the performance of the system or cause it fail altogether.

Are there any differences between this vulnerability and the one affecting the NFS service?
No. This vulnerability has exactly the same cause, effect, and remediation as the one affecting the NFS service in SFU 2.0. The sole difference lies in the specific services involved in the vulnerabilities.

Does this vulnerability affect the Telnet server that ships in Windows NT 4.0 or Windows 2000?
No. Both Windows NT 4.0 and Windows 2000 ship with a native Telnet server, which is completely different from the one included in SFU 2.0. Neither are affected by this vulnerability.

How does the patch eliminate this vulnerability?
The patch eliminates the vulnerability by removing the memory leak condition and ensuring that all memory is returned to the system when no longer needed.

Patch availability

Download locations for this patch

Additional information about this patch

Installation platforms:

This patch can be installed on systems running Services for Unix 2.0 on the following operating systems:

Inclusion in future service packs:

The fix for this issue will be included in Services for Unix 3.0.

Reboot needed: Yes

Superseded patches:

None.

Verifying patch installation:

NFS patch:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Services for UNIX\Hotfix\Q294380.

  • To verify the individual files, consult the file manifest in Knowledge Base article Q294380.

Telnet patch:

  • To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine:
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Services for UNIX\Hotfix\Q301514.

  • To verify the individual files, consult the file manifest in Knowledge Base article Q301514.

Caveats:

None

Localization:

Services for Unix 2.0 was only released in English and Japanese. These language versions are available from the download locations listed in the section titled "Patch Availability".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

  • Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
  • Patches for consumer platforms are available from the WindowsUpdate web site.

Other information:

Acknowledgments

Microsoft thanks Peter Grundl for reporting this issue to us and working with us to protect customers.

Support:

  • Microsoft Knowledge Base article Q301514 and Q294380 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
  • Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (July 23, 2001): Bulletin Created.
  • V1.1 (June 13, 2003): Updated download links to Windows Update.

Built at 2014-04-18T13:49:36Z-07:00