Click for a hub of Extension resources related to the current COVID-19 situation.
COVID-19 Resources
Texas A&M AgriLife IT Security
Texas A&M AgriLife IT SecurityLatest IT news & tips to keep your computer safe

Vulnerabilities in Microsoft AD

by Leave a Comment

For those of you who run ADs.

>>> “Luevano, Ana” <ana.luevano@dir.state.tx.us> 6/9/2009 3:55 PM >>>
MULTI-STATE INFORMATION SHARING AND ANALYSIS CENTER CYBER SECURITY
ADVISORY

MS-ISAC ADVISORY NUMBER:
2009-034

DATE(S) ISSUED:
6/9/2009

SUBJECT:
Vulnerabilities in Active Directory Could Allow Remote Code Execution
(MS09-018)

OVERVIEW:
Two vulnerabilities have been discovered in Active Directory. Active
Directory is a Microsoft technology that enables authentication and
access to resources on a network. These vulnerabilities may be exploited
by a specially crafted request targeting a vulnerable server running
Active Directory. The most severe vulnerability could allow an attacker
to remotely execute arbitrary code. Successful exploitation could result
in an attacker gaining complete control of the affected system and could
lead to the compromise of any other system that is part of the affected
domain. An attacker could then install programs; view, change, or delete
data; or create new accounts with full user rights. Failed exploit
attempts may result in a denial-of-service condition.

SYSTEMS AFFECTED:

            *    Microsoft Windows 2000 Server Service
Pack 4
            *    Windows XP Professional Service Pack 2
and Windows XP Professional Service Pack 3
            *    Windows XP Professional x64 Edition
Service Pack 2
            *    Windows Server 2003 Service Pack 2
            *    Windows Server 2003 x64 Edition Service
Pack 2
            *    Windows Server 2003 with SP2 for
Itanium-based Systems

RISK:

Government:

    *    Large and medium government entities: High
    *    Small government entities: High

Businesses:

    *    Large and medium business entities: High
    *    Small business entities: High

Home users: N/A

DESCRIPTION:
Two vulnerabilities have been discovered in Active Directory, the most
severe of which could allow an attacker to remotely execute arbitrary
code. The other vulnerability could result in denial-of-service
conditions. Active Directory is a Microsoft technology that enables
authentication and access to resources on a network.

The first vulnerability exists in implementations of Active Directory on
Microsoft Windows 2000 Server. The vulnerability is due to the incorrect
freeing of memory when processing specially crafted Lightweight
Directory Access Protocol (LDAP) or LDAPS (LDAP over SSL) requests.
Successfully exploiting this issue may allow an attacker to take
complete control of the affected system and could lead to the compromise
of any other system that is part of the affected domain. An attacker
could then install programs; view, change, or delete data; or create new
accounts with full user rights.

The second vulnerability exists in implementations of Active Directory
on Microsoft Windows 2000 Server and Windows Server 2003 and in
implementations of Active Directory Application Mode (ADAM) when
installed on Windows XP Professional and Windows Server 2003. ADAM is an
LDAP directory service that runs as a user service, rather than as a
system service. The vulnerability is due to improper memory management
during execution of certain types of LDAP or LDAPS requests.
Successfully exploiting this issue may cause the affected system to stop
accepting requests, creating a denial-of-service condition.

In order to exploit either of these vulnerabilities, an attacker must be
able to send LDAP or LDAPS request to the affected Active Directory or
ADAM Server. In the case of LDAP access on Windows 2000 servers, the
attacker may be anonymous. As most organizations will block external
LDAP requests, the most likely attack scenario would be an insider
attack.

RECOMMENDATIONS:
We recommend the following actions be taken:

*    Apply appropriate patches provided by Microsoft to vulnerable
systems immediately after appropriate testing.
*    Ensure TCP ports 389 (LDAP), 636 (LDAPS), 3268 (Microsoft Global
Catalog), and 3269 (Microsoft Global Catalog over SSL) are blocked at
perimeter firewalls and only grant access to those external systems that
have a justified business need to access these ports through the use of
IP and port filtering.
*    Disable anonymous LDAP access on Microsoft Windows 2000 servers.

REFERENCES:

Microsoft:
http://www.microsoft.com/technet/security/bulletin/MS09-018.mspx

SecurityFocus:
http://www.securityfocus.com/bid/35226

CVE:
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1139

http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1138

Leave a Reply