發信人: tw-cert () 看板: security 日期: Mon Mar 18 19:26:46 2002 標題: TW-CA-2002-049-[MS02-006: Patch Available for "Unchecked Bu TW-CA-2002-049-[MS02-006: Patch Available for "Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run" Vulnerability] ------------------------------------------------------------------------------- TWCERT發布日期:2002-03-15 原漏洞發布日期:2002-02-15 分類:DoS 來源參考:Microsoft Security Bulletin(MS02-006) ------ 簡述 ------------------------------------------------------------------- 誰應該閱讀此篇文件:使用 Simple Network Management Protocol(SNMP) 管理 MicrosoftR WindowsR 95, 98, 98SE, Windows NTR 4.0, Windows 2000 或 Windows XP 的系統管理者。 漏洞影響 :Denial of Service, 允許攻擊者執行任意程式碼 風險值 :中等 建議 :在Windows 2000 和 Windows XP上使用SNMP服務的使用者需要更新 此修正程式。他使用者應該關閉此SNMP服務或更新之。 有關此修正程式的相關資訊可以參考下列的網址: http://www.microsoft.com/technet/security/bulletin/MS02-006.asp ------ 說明 ------------------------------------------------------------------- 2002/02/12, Microsoft 發布此公告的原始版本。在此 Microsoft 詳盡地敘述使用者應該 保護自己不要受此漏洞影響,而在 2002/02/15 Microsoft 也發布此公告的更新版本,發 布 Windows 2000 和 Windows XP 的修正程式,並提供使用者在這些平台上的必須程序。 其他平台的修正程式將會近期公佈且會更新此公告。 Simple Network Management Protocol (SNMP)是網路上的標準協定,它能夠管理不同的網 路介面,例如防火牆、電腦和路由器。除了 Windows ME 之外其他的 Windows 皆提供SNMP ,但所有的版本中預設值是沒有安裝且不啟動。 送出一個特殊的管理需求給受影響的 SNMP 伺服器會造成緩衝區溢位,攻擊者可利用此弱 點導致 denial of service。另外,也能夠在此系統上執行任意程式碼,攻擊者可在此系 統上獲得他想要的資料。 -風險 : Internet Servers Intranet Servers Client Systems Windows 95 None None Moderate Windows 98 None None Moderate Windows 98SE None None Moderate Windows ME None None None Windows NT 4.0 Low Moderate Moderate Windows NT 4.0 Low Moderate None Terminal Server Edition Windows 2000 Low Moderate Moderate Windows XP None None Moderate -測試的平台: Microsoft 測試了Windows 95, Windows 98, Windows 98SE, Windows ME,Windows NT 4.0, Windows 2000 和 Windows XP,這些平台皆會受到此漏洞的影響。至於其他版本則不支援, 有可能也或許不會受漏洞影響。 -修正: V1.0 (2002/02/12): 公佈 V2.0 (2002/02/15): 更新公告並提供 Windows 2000 和 Windows XP 的修補程式 ------ 影響平台 --------------------------------------------------------------- Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows 98SE Microsoft Windows NT 4.0 Microsoft Windows NT 4.0 Server, Terminal Server Edition Microsoft Windows 2000 Microsoft Windows XP ------ 修正方式 --------------------------------------------------------------- 修正程式可以從下列網址取得: Windows 2000: http://www.microsoft.com/downloads/release.asp?ReleaseID=36142 Windows XP: http://www.microsoft.com/downloads/release.asp?ReleaseID=36262 其他平台的修正程式正在發展且會在近期內發布。 有任何最新消息,將會更新此公告並說明如何得到並安裝此修正程式。 -安裝平台 1. 此修正程式可以安裝在 Windows 2000 Service Pack 1 或 Windows 2000 Service Pack 2。 2. Windows XP 的修正程式可以安裝在Windows XP Gold。 3. 此修正程式將會包含在 Windows 2000 Service Pack 3。 4. 此修正程式將會包含在 Windows XP Service Pack 1。 -重新開機需求 此修正程式安裝完後需要重新開機。 -查證修正資訊 Windows2000使用者: 如果要確定此修正程式是否在此機器上正確安裝,請核對以下的 registry key 是否有正 確安裝在此機器上: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q314147. 如果要核對個別檔案,使用日期/時間和版本資訊作為 registry key 的查詢: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q314147\Filelist WindowsXP 使用者: 如果要確定此修正程式是否在此機器上正確安裝,請核對以下的 registry key 是否有正 確安裝在此機器上: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q314147. 如果要核對個別檔案,使用日期/時間和版本資訊作為 registry key 的查詢: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q314147\Filelist. -取得修正程式有下列方式: 1.可經由微軟程式下載中心(Microsoft Download Center)中取得,可使用 "security_patch" 字串尋找。 2.微軟的使用者可經由 WindowsUpdate 的網站取得http://windowsupdate.microsoft.com/ 3.所有的修正程式可經由 WindowsUpdate 網站取得,也可到 WindowsUpdate 組織網站取得資料。 - 其他相關安全性的修正程式,可由微軟程式下載中心(Microsoft Download Center)中取得。 ------ 影響結果 --------------------------------------------------------------- SNMP 運用的範圍可以說是相當的廣泛,並會造成 Denial of Service 或者網路相關問題, 攻擊者也有可能利用此漏洞獲取權限而影響整個系統。因此系統如有使用到 SNMP 服務請盡 速更新或者關閉之。 ------ 連絡 TW-CERT ----------------------------------------------------------- Tel: 886-7-5250211 Fax: 886-7-5250212 886-2-23563303 886-2-23924082 Email: twcert@cert.org.tw URL: http://www.cert.org.tw/ PGP key: http://www.cert.org.tw/eng/pgp.htm =============================================================================== 附件:[MS02-006: Patch Available for "Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run" Vulnerability] - ------ Overview ------------------------------------------------------------- Who should read this bulletin: System administrators who use Simple Network Management Protocol to manage MicrosoftR WindowsR 95, 98, 98SE, Windows NTR 4.0, Windows 2000 or Windows XP systems Impact of vulnerability: Denial of Service, potentially run code of attacker’s choice Maximum Severity Rating: Moderate Recommendation: Customers using SNMP on Windows 2000 and Windows XP should apply the patch. All other customers should disable SNMP service if running; apply patch when available - ------ Description ---------------------------------------------------------- On February 12 2002, Microsoft released the original version of this bulletin. In it, we detailed a work-around procedure that customers could implement to protect themselves against a publicly disclosed vulnerability. An updated version of this bulletin was released on February 15, 2002, to announce the availability of the patch for Windows 2000 and Windows XP and to advise customers that the work-around procedure is no longer needed on those platforms. Patches for additional platforms are forthcoming and this bulletin will be re-released to annouce their availability. Simple Network Management Protocol (SNMP) is an Internet standard protocol for managing disparate network devices such as firewalls, computers, and routers. All versions of Windows except Windows ME provide an SNMP implementation, which is neither installed nor running by default in any version. A buffer overrun is present in all implementations. By sending a specially malformed management request to a system running an affected version of the SNMP service, an attacker could cause a denial of service. In addition, it is possible that he could cause code to run on the system in LocalSystem context. This could potentially give the attacker the ability to take any desired action on the system. A patch is under development to eliminate the vulnerability. In the meantime, Microsoft recommends that customers who use the SNMP service disable it temporarily. Patches will be available shortly, at which time we will re-release this bulletin with updated details. Mitigating factors: The SNMP service is neither installed nor running by default in any version of Windows. Standard firewalling practices recommend blocking the port over which SNMP operates (UDP ports 161 and 162). If these recommendations have been followed, the vulnerability could only be exploited by an intranet user. Standard security recommendations recommend against using SNMP except on trusted networks, as the protocol, by design, provides minimal security. Severity Rating: Internet Servers Intranet Servers Client Systems Windows 95 None None Moderate Windows 98 None None Moderate Windows 98SE None None Moderate Windows ME None None None Windows NT 4.0 Low Moderate Moderate Windows NT 4.0 Terminal Server Edition Low Moderate None Windows 2000 Low Moderate Moderate Windows XP None None Moderate The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. The SNMP service does not install by default on any version of Windows. Additionally, following well-known best practices for using SNMP (blocking at the router) protects against attempts to exploit this vulnerability. Vulnerability identifier: CAN-2002-0053 Tested Versions: Microsoft tested Windows 95, Windows 98, Windows 98SE, Windows ME, Windows NT 4.0, Windows 2000, and Windows XP to assess whether they are affected by this vulnerability. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities. - ------ Platform ------------------------------------------------------------- Microsoft Windows 95 Microsoft Windows 98 Microsoft Windows 98SE Microsoft Windows NT 4.0 Microsoft Windows NT 4.0 Server, Terminal Server Edition Microsoft Windows 2000 Microsoft Windows XP - ------ Solution ------------------------------------------------------------- Download locations for this patch Windows 2000: http://www.microsoft.com/downloads/release.asp?ReleaseID=36142 Windows XP: http://www.microsoft.com/downloads/release.asp?ReleaseID=36262 Patches for other platforms are under development and will be available shortly. When this happens, we will re-release this bulletin with information on how to obtain and install these patches. Additional information about this patch Installation platforms: Windows 2000: This patch can be installed on systems running Windows 2000 Service Pack 1 or Windows 2000 Service Pack 2 The patch for Windows XP can be installed on systems running Windows XP Gold. Inclusion in future service packs: The fix for this issue will be included in Windows 2000 Service Pack 3. The fix for this issue will be included in Windows XP Service Pack 1. Reboot needed: Yes Superseded patches: None. Verifying patch installation: Windows 2000: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q314147. To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\Q314147\Filelist Windows XP: To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q314147. To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q314147\Filelist. Additional Platforms: Patches are under development and will be available shortly. Caveats: None Localization: Localized versions of this patch are available at the locations discussed in "Obtaining other security patches". Obtaining other security patches: Patches for other security issues are available from the following locations: Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". Patches for consumer platforms are available from the WindowsUpdate web site All patches available via WindowsUpdate also are available in a redistributable form from the WindowsUpdate Corporate site. Other information: Support: Microsoft Knowledge Base article Q314147 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site. Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches. Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: V1.0 (February 12, 2002): Bulletin Created. V2.0 (February 15, 2002): Bulletin updated to include patch availability of patches for Windows 2000 and Windows XP. - ------ Impact --------------------------------------------------------------- Denial of Service, potentially run code of attacker’s choice -- * Origin: 中山大學-美麗之島BBS * From: 140.117.101.140 [已通過認證] .