Bugtraq mailing list archives
Microsoft Security Bulletin (MS00-067)
From: Microsoft Product Security <secnotif () MICROSOFT COM>
Date: Thu, 21 Sep 2000 19:35:31 -0700
The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- Microsoft Security Bulletin (MS00-067) - ------------------------------------- Re-release: Patch Available for "Windows 2000 Telnet Client NTLM Authentication" Vulnerability Originally posted: September 14, 2000 Re-Released: September 21, 2000 Summary ======= On September 14, 2000, Microsoft released the original version of this bulletin, which was revised the following day to advise of a problem with the patch. On September 21, 2000, a new version of the patch was released, and the bulletin was updated to advise of its availability. Microsoft recommends that all customers, including those who applied the original version of the patch, apply the new version. The patch eliminates a security vulnerability in the telnet client that ships with Microsoft(r) Windows 2000. The vulnerability could, under certain circumstances, allow a malicious user to obtain cryptographically protected logon credentials from another user. Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-067.asp Issue ===== Windows 2000 includes a telnet client capable of using NTLM authentication when connecting to a remote NTLM enabled telnet server. A vulnerability exists because the client will, by default, perform NTLM authentication when connecting to the remote telnet server. This could allow a malicious user to obtain another user's NTLM authentication credentials without the user's knowledge. A malicious user could exploit this behavior by creating a carefully-crafted HTML document that, when opened, could attempt to initiate a Telnet session to a rogue telnet server - automatically passing NTLM authentication credentials to the malicious server's owner. The malicious user could then use an offline brute force attack to derive the password or, with specialized tools, could submit a variant of these credentials in an attempt to access protected resources. This vulnerability would only provide the malicious user with the cryptographically protected NTLM authentication credentials of another user. It would not, by itself, allow a malicious user to gain control of another user's computer. In order to leverage the NTLM credentials (or subsequently cracked password), the malicious user would have to be able to remotely logon to the target system. However, best practices dictate that remote logon services be blocked at border devices, and if these practices were followed, they would prevent an attacker from using the credentials to logon to the target system. Best practices also strongly recommend that Windows 2000 users logon to their hosts with User level credentials, and if these practices were followed, they would prevent a malicious user from obtaining Administrator level NTLM credentials. Affected Software Versions ========================== - Microsoft Windows 2000 Patch Availability ================== - Microsoft Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24399 Note: Customers who applied the original version of the patch should consider applying the current version. The original version eliminated the vulnerability; however, if a malicious user attempted to exploit the vulnerability, the patch caused the Telnet client to fail. The current version of the patch eliminates the vulnerability without interfering with Telnet connections. Note: This patch will also be included in the next Service Pack for Windows 2000. It can be applied to computers with or without Service Pack 1. Note Additional security patches are available at the Microsoft Download Center More Information ================ Please see the following references for more information related to this issue. - Frequently Asked Questions: Microsoft Security Bulletin MS00-067, http://www.microsoft.com/technet/security/bulletin/fq00-067.asp - Microsoft Knowledge Base (KB) article Q272743, http://www.microsoft.com/technet/support/kb.asp?ID=272743 - Microsoft TechNet Security web site, http://www.microsoft.com/technet/security/default.asp Obtaining Support on this Issue =============================== This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp. Acknowledgments =============== Microsoft thanks DilDog of @Stake Inc. (www.atstake.com) for reporting this issue to us and working with us to protect customers. Revisions ========= - September 14, 2000: Bulletin Created. - September 15, 2000: Bulletin re-released to advise of problem with patch. - September 21, 2000: Bulletin re-released to advise of availability of new patch. - ----------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. September 21, 2000 (c) 2000 Microsoft Corporation. All rights reserved. Terms of use. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOcrFn40ZSRQxA/UrAQH1LQf/WArnQCcxfpITGvcWtIoXrOAel3hUeq3C DSOEr1OLp8N9iIaQgBY3c+TtrfJvFRaWZ0/OAp2Kceo+EtY+f7ZnqRpaOGCU/7uP q4UxNaj6xV8qymr3jVKg/IKqneCy75MQZktApsjpQpNPp63256Tbw4aK2y/Xls/l YsmBgR5VubzKNJT0t3TEDmVimUjwrT0JbtgOlzrTkUgeNWEugwKCfGnSN+rhEQy+ vHrf80esg0FKuFsv1X4hCr/t1oTt9XWlKdjqCABbVCwd9/equUji7qAAv9J1eV6O WLn77dtvqg7YE5FvPkoZJDyPL9bboV10TDtj6m4cq/YEwQEToBMJVw== =tjw+ -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
Current thread:
- Microsoft Security Bulletin (MS00-067) Microsoft Product Security (Sep 14)
- <Possible follow-ups>
- Microsoft Security Bulletin (MS00-067) Microsoft Product Security (Sep 22)