Vulnerability Note VU#145904

Microsoft Windows 2000 Kerberos service vulnerable to DoS via repeated invalid requests

Original Release date: 17 May 2001 | Last revised: 25 Jun 2001

Overview

A core service of Microsoft Windows 2000 domain controllers fails to correctly handle certain invalid requests. After receiving a number of invalid requests, the domain controller may have to be rebooted to return it to correct operation. A disabled domain controller can interfere with the ordinary operation of all machines in the domain.

Description

Microsoft Windows 2000 uses Kerberos as its default means of authentication. Kerberos is a trusted-third-party scheme that is used to perform mutual authentication between two network entities who trust a "neutral" third party, known as a key distribution center (KDC). In the Microsoft implementation of Kerberos, a domain controller serves as the KDC. By making certain kinds of invalid Kerberos requests to a Windows 2000 domain controller repeatedly, an intruder can exhaust the available memory of the system, effectively rendering it incapable of processing further Kerberos requests, possibly interrupting the ordinary operation of other services on that same machine, and severely impacting system performance. In order to recover the memory, a system administrator must reboot the machine.

More information about this problem is available in Microsoft Security Bulletin MS 01-024, and an advisory issued by Defcom Labs, who originally discovered the problem.

Note that a casual reader of the Microsoft advisory may not appreciate the scope of this vulnerability. Quoting from their advisory:

    If there were multiple domain controllers on the domain, the unaffected machines could pick up the other machine’s load. 

This statement is true, but may lead one to assume that a failure of a domain controller resulting from this vulnerability would be independent of failures of other domain controllers. While having multiple domain controllers is recommended to guard against independent failures (e.g. a disk drive failure), security failures by their very nature are not likely to be independent. Intruders who wish to disrupt the operation of your domain will certainly realize that there may be more than one domain controller; and if they can attack one of them, it is likely that they can attack all of them.

Microsoft addressed the issue of redundancy in Windows 2000 Kerberos Authentication. Quoting from that document:
    The KDC is located on every domain controller, as is the Active Directory service. Both services are started automatically by the domain controller's Local Security Authority (LSA) and run in the process space of the LSA. Neither service can be stopped. Windows 2000 ensures availability of these services by allowing each domain to have several domain controllers, all peers. Any domain controller can accept authentication requests and ticket-granting requests addressed to the domain's KDC.
Thus all Windows 2000 domain controllers share a vulnerability in a service that cannot be disabled and which requires a restart to recover.

Impact

Intruders can disable domain controllers, effectively halting the processing of logon requests and the granting of new Kerberos tickets.

Solution

Apply a patch as described in Microsoft Security Bulletin MS01-024.

Limiting access to ports 88 and 464 can reduce your exposure to this problem. In general, we recommend blocking access to all ports that aren't explicitly required.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
MicrosoftAffected-17 May 2001
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

This problem was originally discovered by Peter Gründl of Defcom Labs. A copy of their original advisory is available from Windows IT Security.

This document was written by Shawn V. Hernan.

Other Information

  • CVE IDs: CAN-2001-0237
  • Date Public: 09 May 2001
  • Date First Published: 17 May 2001
  • Date Last Updated: 25 Jun 2001
  • Severity Metric: 27.54
  • Document Revision: 10

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.