Security Bulletin

Microsoft Security Bulletin MS00-040 - Critical

Patch Available for 'Remote Registry Access Authentication' Vulnerability

Published: June 08, 2000 | Updated: April 26, 2002

Version: 1.1

Originally posted: June 08, 2000

Summary

Microsoft has released a patch that eliminates a security vulnerability in Microsoft® Windows NT 4.0. Under certain conditions, the vulnerability could be used to cause a Windows NT 4.0 machine to fail.

Affected Software: Microsoft Windows NT 4.0 Workstation Microsoft Windows NT 4.0 Server Microsoft Windows NT 4.0 Server, Enterprise Edition Microsoft Windows NT 4.0 Server, Terminal Server Edition Note: Windows 2000 is not affected by this vulnerability.

Vulnerability Identifier: CVE-2000-0377

General Information

Technical details

Technical description:

Before a request to access the registry from a remote machine can be processed, it must first be authenticated by the Remote Registry server. If the request is malformed in a specific fashion, it could be misinterpreted by the remote registry server, causing it to fail. Because the Remote Registry server is contained within the winlogon.exe system process on Windows NT 4.0, a failure in that process would cause the entire system to fail. Only an authenticated user could levy such a request -- an anonymous (or null-session) connection could not cause this failure. An affected machine could be put back into service by rebooting.

Frequently asked questions

What's this bulletin about?
Microsoft Security Bulletin MS00-040 announces the availability of a patch that eliminates a vulnerability in Microsoft® Windows NT 4.0. Microsoft is committed to protecting customers' information, and is providing the bulletin to inform customers of the vulnerability and what they can do about it.

What's the scope of the vulnerability?
This vulnerability could allow denial of service attacks against a Windows NT 4.0 machine. If a malicious user sent an affected machine a particular type of malformed request for remote registry access, it could cause Windows NT 4.0 to fail. Under default conditions, only authenticated users - users with an account and password on the network -- could exploit this vulnerability. If a machine has been configured to deny all registry access requests, it would not be affected by this vulnerability under any conditions. An affected machine could be put back into service by rebooting.

What causes the vulnerability?
The vulnerability results because, when authenticating a user's request to remotely interrogate the registry, the Winlogon process does not correctly handle a certain type of malformed request. Depending on the circumstances, the Winlogon process itself could fail, and cause the entire system to stop.

What is Winlogon?
Winlogon.exe is the process that manages security-related user interactions in Windows NT. It handles logon and logoff requests, locking or unlocking the machine, changing the password, and other requests. Winlogon on Windows NT 4.0 also contains the remote registry service.

What do you mean by "remotely interrogating" the registry?
By "remotely interrogating" the registry, we mean reading or changing registry entries on a remote machine.

Isn't there a way to configure Windows NT 4.0 to prevent remote access to the registry?
Yes. Windows NT 4.0 Service Pack introduced a new registry key, the so-called Winreg key, which regulates who can remotely access the registry. The Security permissions set on this key define what Users or Groups can connect to the system for remote access to the registry. The default permissions only allow administrators full access to the registry, and deny all other users access. More information on the Winreg key is available in Microsoft Knowledge Base article Q153183. However, it's important to understand that the Winreg key would not protect against this vulnerability by default. As long as any key can be interrogated, a malicious user could exploit this vulnerability. As discussed in the Knowledge Base article, the default setting of the Winreg key allows a small number of registry keys to be interrogated by authenticated users. The specific list of such keys is specified via the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\ winreg\AllowedPaths key. Machines whose AllowedPaths value prevents authenticated users from accessing any keys would not be at risk from this vulnerability.

What would the effect of an attack via this vulnerability be?
In most cases, the vulnerability causes Winlogon to fail; because winlogon is a critical system process, this would cause Windows NT 4.0 to fail altogether.

Who could exploit this vulnerability?
Under default conditions, only members of the Authenticated Users group - users who have an account and password on the domain - could exploit it. An external user connecting to a server via a null session would not be able to exploit it.

How could an affected machine be put back into service?
An affected machine could be put back into normal service by rebooting it.

Could this vulnerability be exploited accidentally?
It's very unlikely. The specific malformation at issue is not generated as part of any standard registry-editing tool like Regedit or Regedt32. It only occurs when a call is made to the appropriate Win32 API, with a specific (and invalid) malformed parameter.

What machines are primarily at risk from this vulnerability?
Although the vulnerability affects all Windows NT 4.0 machines, the ones most likely to be targeted by this attack would be servers, especially domain controllers. As discussed above, by targeting the domain controllers in a network, a malicious user could prevent users from logging onto the network.

Is Windows 2000 affected by the vulnerability?
No. The Windows 2000 remote registry server correctly handles the malformed packet. In any event, the Windows 2000 remote registry server is not located in the Winlogon process, so even if the same problem had existed in Windows 2000, it would not result in a system failure.

What does the patch do?
The patch causes the Winlogon process to reject the malformed packet at issue here.

How do I use the patch?
Microsoft Knowledge Base article Q264684 contains detailed instructions for applying the patch to your site.

Where can I get the patch?
The download location for the patch is provided in the "Patch Availability" section of the security bulletin.

How can I tell if I installed the patch correctly?
Microsoft Knowledge Base article Q264684 provides a manifest of the files in the patch package. The easiest way to verify that you've installed the patch correctly is to verify that these files are present on your computer, and have the same sizes and creation dates as shown in the KB article.

What is Microsoft doing about this issue?

  • Microsoft has developed a patch that eliminates the vulnerability.
  • Microsoft has provided a security bulletin and this FAQ to provide customers with a detailed understanding of the vulnerability and the patch.
  • Microsoft has sent copies of the security bulletin to all subscribers to the Microsoft Product Security Notification Service, a free e-mail service that customers can use to stay up to date with Microsoft security bulletins.
  • Microsoft Knowledge Base article Q264684 explaining the vulnerability and patch in more detail

Where can I learn more about best practices for security?
The Microsoft TechNet Security web site is the best to place to get information about Microsoft security.

How do I get technical support on this issue?
Microsoft Technical Support can provide assistance with this or any other product support issue.

Patch availability

Download locations for this patch

Microsoft Windows NT 4.0 Workstation, Server and Server, Enterprise Edition:
https://www.microsoft.com/download/details.aspx?FamilyId=292D70D6-9948-48AD-A3FE-435642D3A0A9&displaylang;=en

Microsoft Windows NT 4.0 Server, Terminal Server Edition:
Included in the Windows NT Server 4.0, Terminal Server Edition Security Rollup Package

Note: Additional security patches are available at the Microsoft Download Center

Other information:

Acknowledgments

Microsoft thanks  Renaud Deraison from the Nessus Team for reporting this issue to us and working with us to protect customers.

Support:

Obtaining Support on this Issue

This is a fully supported patch. Information on contacting Microsoft Technical Support is available at https:.

Security Resources: The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products.

Disclaimer:

The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.

Revisions:

  • V1.0 (June 08, 2000): Bulletin Created.
  • V1.1 (April 26, 2002): Bulletin updated to advise availability of Windows NT 4.0 Server, Terminal Server Edition Security Rollup Package.

Built at 2014-04-18T13:49:36Z-07:00 </https:>