Vulnerability Note VU#150236

Microsoft Windows Secure Sockets Layer (SSL) library vulnerable to DoS

Original Release date: 14 Apr 2004 | Last revised: 14 Apr 2004

Overview

A vulnerability in the Microsoft Secure Sockets Layer library could allow a remote attacker to cause a denial-of-service condition on an affected system.

Description

The Secure Sockets Layer (SSL) protocol is commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP, and others. The Microsoft Secure Sockets Layer library contains support for SSL and a number of other secure communication protocols.

A flaw exists in the process used by the SSL Library to check message inputs, specifically in the handling of some malformed SSL messages. This flaw results in a vulnerability that could allow a remote attacker to cause a denial-of-service condition on the affected system. An attacker with the ability to send a specially crafted malformed messages to an SSL-enabled service or program could exploit this vulnerability. Microsoft provides the following description of configurations that are vulnerable:


    All systems that have SSL enabled are vulnerable. Although SSL is generally associated with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely to be vulnerable. This includes but is not limited to Internet Information Services 4.0, Internet Information Services 5.0, Internet Information Services 5.1, Exchange Server 5.5, Exchange Server 2000, Exchange Server 2003, Analysis Services 2000 (included with SQL Server 2000), and any third-party programs that use SSL.

    Windows 2000 domain controllers that are installed in an Active Directory domain that also has an Enterprise Root certification authority installed are affected by this vulnerability because they automatically listen for secure SSL connections.

Impact

A remote attacker could cause the affected system to stop accepting SSL connections (for systems running Windows 2000 and Windows XP) or automatically restart (for systems running Windows Server 2003).

Solution

Apply a patch from the vendor

Microsoft, Inc. has published Microsoft Security Bulletin MS04-011 in response to this issue. Users are strongly encouraged to review this bulletin and apply the patches it refers to.

Workarounds


Microsoft lists the following workaround in MS04-011:

    Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.
    • Block ports 443 and 636 at the firewall

    Port 443 is used to receive SSL traffic. Port 636 is used for LDAP SSL connections (LDAPS). Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. Other ports may be found that could be used to exploit this vulnerability. However, the ports listed here are the most common attack vectors. Microsoft recommends blocking all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.

    Impact of Workaround: If ports 443 or 636 are blocked, the affected systems can no longer accept external connections using SSL or LDAPS.

Systems Affected (Learn More)

VendorStatusDate NotifiedDate Updated
Microsoft CorporationAffected-14 Apr 2004
If you are a vendor and your product is affected, let us know.

CVSS Metrics (Learn More)

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A N/A

References

Credit

Thanks to Microsoft Security for reporting this vulnerability. Microsoft, in turn, credits John Lampe of Tenable Network Security for reporting this issue to them.

This document was written by Chad R Dougherty based on information provided in Microsoft Security Bulletin MS04-011.

Other Information

  • CVE IDs: CAN-2004-0120
  • Date Public: 13 Apr 2004
  • Date First Published: 14 Apr 2004
  • Date Last Updated: 14 Apr 2004
  • Severity Metric: 6.48
  • Document Revision: 4

Feedback

If you have feedback, comments, or additional information about this vulnerability, please send us email.