search menu icon-carat-right cmu-wordmark

CERT Coordination Center


Microsoft Windows 2000 Kerberos service vulnerable to DoS via repeated invalid requests

Vulnerability Note VU#145904

Original Release Date: 2001-05-17 | Last Revised: 2001-06-26

Overview

A core service of Microsoft Windows 2000 domain controllers fails to correctly handle certain invalid requests. After receiving a number of invalid requests, the domain controller may have to be rebooted to return it to correct operation. A disabled domain controller can interfere with the ordinary operation of all machines in the domain.

Description

Microsoft Windows 2000 uses Kerberos as its default means of authentication. Kerberos is a trusted-third-party scheme that is used to perform mutual authentication between two network entities who trust a "neutral" third party, known as a key distribution center (KDC). In the Microsoft implementation of Kerberos, a domain controller serves as the KDC. By making certain kinds of invalid Kerberos requests to a Windows 2000 domain controller repeatedly, an intruder can exhaust the available memory of the system, effectively rendering it incapable of processing further Kerberos requests, possibly interrupting the ordinary operation of other services on that same machine, and severely impacting system performance. In order to recover the memory, a system administrator must reboot the machine.

More information about this problem is available in Microsoft Security Bulletin MS 01-024, and an advisory issued by Defcom Labs, who originally discovered the problem.

Note that a casual reader of the Microsoft advisory may not appreciate the scope of this vulnerability. Quoting from their advisory:

    If there were multiple domain controllers on the domain, the unaffected machines could pick up the other machine’s load. 

This statement is true, but may lead one to assume that a failure of a domain controller resulting from this vulnerability would be independent of failures of other domain controllers. While having multiple domain controllers is recommended to guard against independent failures (e.g. a disk drive failure), security failures by their very nature are not likely to be independent. Intruders who wish to disrupt the operation of your domain will certainly realize that there may be more than one domain controller; and if they can attack one of them, it is likely that they can attack all of them.

Microsoft addressed the issue of redundancy in Windows 2000 Kerberos Authentication. Quoting from that document:
    The KDC is located on every domain controller, as is the Active Directory service. Both services are started automatically by the domain controller's Local Security Authority (LSA) and run in the process space of the LSA. Neither service can be stopped. Windows 2000 ensures availability of these services by allowing each domain to have several domain controllers, all peers. Any domain controller can accept authentication requests and ticket-granting requests addressed to the domain's KDC.
Thus all Windows 2000 domain controllers share a vulnerability in a service that cannot be disabled and which requires a restart to recover.

Impact

Intruders can disable domain controllers, effectively halting the processing of logon requests and the granting of new Kerberos tickets.

Solution

Apply a patch as described in Microsoft Security Bulletin MS01-024.

Limiting access to ports 88 and 464 can reduce your exposure to this problem. In general, we recommend blocking access to all ports that aren't explicitly required.

Vendor Information

145904
Expand all

Microsoft

Updated:  May 17, 2001

Status

  Vulnerable

Vendor Statement

See http://www.microsoft.com/TechNet/security/bulletin/MS01-024.asp.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

The CERT/CC has no additional comments at this time.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

This problem was originally discovered by Peter Gründl of Defcom Labs . A copy of their original advisory is available from Windows IT Security

This document was written by Shawn V. Hernan.

Other Information

CVE IDs: CVE-2001-0237
Severity Metric: 27.54
Date Public: 2001-05-09
Date First Published: 2001-05-17
Date Last Updated: 2001-06-26 02:29 UTC
Document Revision: 10

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.