Microsoft Security Bulletin (MS99-004)

[aleph1 () UNDERGROUND ORG (aleph1 () UNDERGROUND ORG)]

The following is a Security  Bulletin from the Microsoft Product Security
Notification Service.

Please do not  reply to this message,  as it was sent  from an unattended
mailbox.
                    ********************************

Microsoft Security Bulletin (MS99-004)
--------------------------------------

Patch Available for Authentication Processing Error in Windows NT (r) 4.0
Service Pack 4

Originally Posted: February 8, 1999

Summary
=======
Microsoft has released a patch that eliminates a logic error in Service Pack
4 for Windows NT 4.0 that could, under certain conditions, allow a user to
log on interactively and connect to network shares using a blank password.
The vulnerability primarily, but not exclusively, affects Windows NT servers
that serve as domain controllers in environments with DOS, Windows 3.1,
Windows for Workgroups, OS/2 or Macintosh clients. In general, customers who
have deployed only Windows NT, Windows 95 and Windows 98 client workstations
are not at risk from this vulnerability.

A fully supported patch is available for this vulnerability, and Microsoft
recommends that all customers evaluate the risk to their systems and, as
appropriate, download and install it on affected computers.

Issue
=====
The Windows NT Security Account Manager (SAM) database stores the hashed
password for each user account in two forms: an "NT hash" form that is used
to authenticate users on Windows NT clients, and an "LM hash" form that is
used to authenticate users on Windows 95, Windows 98, and downlevel clients
such as DOS, Windows 3.1, Windows for Workgroups, OS/2 and Macintosh. When a
user changes his password via a Windows NT, Windows 95 or Windows 98 client,
both the "NT hash" and "LM hash" forms of the password are updated in the
SAM. However, when the user changes his password via a downlevel client,
only the "LM hash" form of the password is stored; a null value is stored in
the "NT hash" field. This is normal operation.

When a user attempts an interactive logon or a network share connection from
a Windows NT system, the Windows NT authentication process uses the "NT
hash" form of the password. If the "NT hash" is null, the "LM hash" of the
password is used for verification. (Windows 95, Windows 98 and downlevel
clients always use only the "LM hash" for verification.) The logic error in
Service Pack 4 incorrectly allows a null "NT hash" value to be used for
authentication from Windows NT systems. The result is that if a user
account's password was last changed from a DOS, Windows 3.1, Windows for
Workgroups, OS/2 or Macintosh client, a user can logon into that account
from a Windows NT system using a blank password.

By far the most likely machines to be affected by this vulnerability would
be domain controllers running Windows NT 4.0 SP 4, in networks that contain
any of the downlevel clients listed above. However, any server or
workstation running Windows NT 4.0 SP 4 that contains a SAM database with
active users who communicate from downlevel clients would be vulnerable to
this problem. For example, a workgroup of Windows NT 4.0 SP 4 systems, one
of which is accessed by Windows for Workgroups clients, would be affected by
this vulnerability.

It is worth reiterating the following points:
 - Even on an affected network, a user whose most recent
   password change was performed via Windows NT, Windows 95
   or Windows 98 workstations will have a non-null "NT hash"
   value, and hence will not be at risk.
 - Customers who are affected by the vulnerability need only
   apply the patch to machines that contain SAM databases
   with active user accounts.
 - There is no need for users to update or change their passwords
   after applying the patch. Even in vulnerable systems, the SAM
   database entries are valid; the problem lies in the way SP4
   processes them. The patch corrects the authentication process
   logic in SP4 without changing the SAM database entries in any way.

Affected Software Versions
==========================
The following software versions are affected:
 - Microsoft Windows NT 4.0, Service Pack 4

What Microsoft is Doing
=======================
On February 8th, Microsoft released a patch that fixes the problem
identified above. This patch is available for download from the sites listed
below.

Microsoft has sent this security bulletin to customers subscribing
to the Microsoft Product Security Notification Service (see
http://www.microsoft.com/security/services/bulletin.asp for more
information about this free customer service).

Microsoft has published the following Knowledge Base (KB) article on this
issue:
 - Microsoft Knowledge Base (KB) article Q214840,
   MSV1_0 Incorrectly Allows Network Connections for Specific Accounts
   http://support.microsoft.com/support/kb/articles/q214/8/40.asp
   (Note: It might take 24 hours from the original posting of this
   bulletin for the KB article to be visible in the Web-based
   Knowledge Base.)

Microsoft has posted the following hot fixes to address this problem.
Please note that the URLs below have been word-wrapped for readability.
 - Fix for x86 version:
   ftp://ftp.microsoft.com/bussys/winnt/winnt-public
   /fixes/usa/NT40/hotfixes-postSP4/Msv1-fix/msv-fixi.exe
 - Fix for Alpha version:
   ftp://ftp.microsoft.com/bussys/winnt/winnt-public
   /fixes/usa/NT40/hotfixes-postSP4/Msv1-fix/msv-fixa.exe

What Customers Should Do
========================
The patch for this vulnerability is fully supported, and Microsoft
recommends that all affected customers apply it. The URLs for the patch are
provided above in What Microsoft is Doing.

More Information
================
Please see the following references for more information related to this
issue.
 - Microsoft Security Bulletin MS99-004,
   Patch Available for Authentication Processing
   Error in Windows NT 4.0 Service Pack 4 (the
   Web-posted version of this bulletin),
   http://www.microsoft.com/security/bulletins/ms99-004.asp.
 - Microsoft Knowledge Base (KB) article Q214840,
   MSV1_0 Incorrectly Allows Network Connections for
   Specific Accounts.
   http://support.microsoft.com/support/kb/articles/q214/8/40.asp
   (Note: It might take 24 hours from the original posting
   of this bulletin for the KB article to be visible in the
   Web-based Knowledge Base.)

Acknowledgements
================
Microsoft wishes to acknowledge Harry Johnston, School of Computing and
Mathematical Sciences, University of Waikato, New Zealand, for discovering
this vulnerability and reporting it to us.

Obtaining Support on this Issue
===============================
This is a supported patch. If you have problems installing
this patch or require technical assistance with this patch,
please contact Microsoft Technical Support. For information
on contacting Microsoft Technical Support, please see
http://support.microsoft.com/support/contact/default.asp.

Revisions
=========
 - February 8, 1999: Bulletin Created

For additional security-related information about Microsoft
products, please visit http://www.microsoft.com/security

-----------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS"
WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER
EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN
IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR
LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE
FOREGOING LIMITATION MAY NOT APPLY.

(c) 1999 Microsoft Corporation. All rights reserved. Terms of Use.

   *******************************************************************
You have received  this e-mail bulletin as a result  of your registration
to  the   Microsoft  Product  Security  Notification   Service.  You  may
unsubscribe from this e-mail notification  service at any time by sending
an  e-mail  to  MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM
The subject line and message body are not used in processing the request,
and can be anything you like.

For  more  information on  the  Microsoft  Security Notification  Service
please    visit    http://www.microsoft.com/security/bulletin.htm.    For
security-related information  about Microsoft products, please  visit the
Microsoft Security Advisor web site at http://www.microsoft.com/security.