Microsoft Security Bulletin MS01-011 - Critical
Malformed Request to Domain Controller can Cause CPU Exhaustion
Published: February 20, 2001 | Updated: June 23, 2003
Originally posted: February 20, 2001
Updated: June 23, 2003
Who should read this bulletin:
System administrators using Microsoft® Windows® 2000 domain controllers.
Impact of vulnerability:
Denial of service
Install patch on domain controllers
- Microsoft Windows 2000 Server
- Microsoft Windows 2000 Advanced Server
- Microsoft Windows 2000 Datacenter Server
A core service running on all Windows 2000 domain controllers (but not on any other machines) contains a flaw affecting how it processes a certain type of invalid service request. Specifically, the service should handle the request at issue here by determining that it is invalid and simply dropping it; in fact, the service performs some resource-intensive processing and then sends a response.
If an attacker sent a continuous stream of such requests to an affected machine, it could consume most or all of the machine's CPU availability. This could cause the domain controller to process requests for service slowly or not at all, and could limit the number of new logons the machine could process and the number of Kerberos tickets that could be issued.
- The machine would automatically resume normal processing as soon as the stream of requests ceased.
- Although the attacker could, in theory, use the vulnerability to completely deny service to network users, in practice the attack rarely consumes more than 75% of the available CPU resources.
- Users who were already logged on and were using previously issued tickets would not be affected by domain controller unavailability.
- If there were multiple domain controllers on the domain, the unaffected machines could pick up the other machine's load.
- If normal security practices have been followed, Internet users would be prevented by firewalling and other measures from levying requests directly to domain controllers.
Vulnerability identifier: CAN-2001-0018
Frequently asked questions
What's the scope of the vulnerability?
This is a denial of service vulnerability. By sending a continuous stream of specially malformed packets to a domain controller, an attacker could consume most or all of the machine's resources, potentially preventing it from authenticating users. In the worst case, the net result could be that new users might be unable to log on, and logged-on users might be unable to use some network resources. The effects of the attack would not be permanent, and normal processing would resume once the stream of packets was stopped. If there were multiple domain controllers on a domain, the other machines would assume part of the affected machine's load. Also, if best practices have been followed, the vulnerability could only be exploited by a user within the network -- the ports used in this attack should be blocked at the firewall.
What causes the vulnerability?
This vulnerability results because one of the services used by Windows 2000 domain controllers doesn't appropriately validate requests before processing them. In at least one case, the service would attempt to process an invalid request, rather than simply discarding it. This processing is fairly resource-intensive.
What could an attacker do via this vulnerability?
By sending the domain controller a continuous stream of specially selected invalid requests, an attacker could disrupt service on the machine. Specifically, she could cause the machine to devote most or all of its resources to responding to invalid requests, which would cause the machine's response to other, valid requests to slow or stop altogether.
If a domain controller's resources were monopolized in this fashion, what would be the effect?
Let's consider the worst case, in which there's only a single domain controller in the domain, and the attacker manages to use 100% of the machine's resources. In this case, the principal effect of a successful attack via this vulnerability would be to prevent the domain controller from logging new users onto the domain, and to prevent the machine from fulfilling queries to the Active Directory.
Would an attack prevent previously logged-on users from using network resources?
Not necessarily. Recall the Windows 2000 uses Kerberos as its default authentication protocol. In Kerberos, the domain controller does not authenticate every use of network resources, but instead provides a reusable ticket the first time a user requests a particular resource. When the user subsequently needs to use a particular resource, the domain controller doesn't need to be involved in the authentication process. This means even in the case of a successful attack, users would be able to continue using any resources for which they already had tickets, but they might be unable to obtain new tickets for other resources.
Could this vulnerability cause the domain controller to fail?
No. There is no capability to cause either the machine or the affected service to fail via this vulnerability. This is strictly a denial of service attack effected via resource consumption.
Does the vulnerability always enable the attacker to monopolize all of the machine's resources?
No. In our tests, we were rarely able to drive CPU utilization higher than 75%.
What if the domain had several domain controllers?
In domains that contain multiple domain controllers, the machines work together and shift their workloads dynamically. The more domain controllers there are in a single domain, the less noticeable the loss of a single one would be.
Couldn't I just disable the service that contains the flaw?
No. The affected service is one of the core services on domain controllers and cannot be disabled.
This sounds like a flooding attack, rather than true security vulnerability. Is it?
There are some similarities between this vulnerability and a flooding attacking; for instance, the attack would only persist until the attacker stopped sending requests to the affected machine. Typically, we do not issue patches for flooding attacks. However, in this case, we decided to treat this issue as a vulnerability for two reasons:
- There are elements of this issue that aren't like normal flooding attacks. Specifically, a flooding attack usually involves legitimate requests that happen to be resource-intensive to process. In this case, the requests are invalid and the service should discard them after only a cursory inspection.
- The machines affected by this vulnerability are domain controllers. Because of the centrality of domain controllers to a network, we chose to err on the side of caution and produce a patch.
Could this vulnerability be exploited from the Internet?
If normal security practices have been followed, this vulnerability could only be exploited from within the network. Typically, domain controllers are not used as network edge machines, and firewalling is used to prevent users outside the network from levying any requests directly upon them. If these practices have been followed, Internet users would not be able to send the malformed request to the affected service, and as a result they would be unable to exploit the vulnerability.
Does this vulnerability affect Windows NT® 4.0 domain controllers?
No. Only Windows 2000 domain controllers are affected.
Does this vulnerability affect Windows 2000 workstations or member servers?
No. It only affects domain controllers.
Who should use the patch?
Microsoft recommends that customers consider installing the patch on their Windows 2000 domain controllers
What does the patch do?
The patch eliminates the vulnerability by causing the affected service to correctly treat as invalid the request at issue here.
Download locations for this patch
This patch has been superseded by the one provided in Microsoft Security Bulletin MS01-024.
Additional information about this patch
Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 3.
Verifying patch installation:
Use the information below only if you have installed the patch provided in this bulletin. If you install a patch that supersedes this one, use the verification information for the superseding patch.
- To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP2\Q287397.
- To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP2\Q287397\Filelist
Localized versions of this patch are available from the download locations listed in the section titled "Patch Availability".
Obtaining other security patches:
Patches for other security issues are available from the following locations:
- Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch"
- Patches are also available from the WindowsUpdate web site
- Microsoft Knowledge Base article Q287397 discusses this issue and will be available approximately 24 hours after the release of this bulletin. Knowledge Base articles can be found on the Microsoft Online Support web site.
- Technical support is available from Microsoft Product Support Services. There is no charge for support calls associated with security patches.
Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
- V1.0 (February 20, 2001): Bulletin published.
- V1.1 (May 09, 2001): Bulletin updated to advise that the patch has been superseded by the one provided in MS01-024.
- V1.2 (June 23, 2003): Updated Windows Update download links.
Built at 2014-04-18T13:49:36Z-07:00