search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows Secure Sockets Layer (SSL) library vulnerable to DoS

Vulnerability Note VU#150236

Original Release Date: 2004-04-14 | Last Revised: 2004-04-14

Overview

A vulnerability in the Microsoft Secure Sockets Layer library could allow a remote attacker to cause a denial-of-service condition on an affected system.

Description

The Secure Sockets Layer (SSL) protocol is commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP, and others. The Microsoft Secure Sockets Layer library contains support for SSL and a number of other secure communication protocols.

A flaw exists in the process used by the SSL Library to check message inputs, specifically in the handling of some malformed SSL messages. This flaw results in a vulnerability that could allow a remote attacker to cause a denial-of-service condition on the affected system. An attacker with the ability to send a specially crafted malformed messages to an SSL-enabled service or program could exploit this vulnerability. Microsoft provides the following description of configurations that are vulnerable:

All systems that have SSL enabled are vulnerable. Although SSL is generally associated with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely to be vulnerable. This includes but is not limited to Internet Information Services 4.0, Internet Information Services 5.0, Internet Information Services 5.1, Exchange Server 5.5, Exchange Server 2000, Exchange Server 2003, Analysis Services 2000 (included with SQL Server 2000), and any third-party programs that use SSL.

Windows 2000 domain controllers that are installed in an Active Directory domain that also has an Enterprise Root certification authority installed are affected by this vulnerability because they automatically listen for secure SSL connections.

Impact

A remote attacker could cause the affected system to stop accepting SSL connections (for systems running Windows 2000 and Windows XP) or automatically restart (for systems running Windows Server 2003).

Solution

Apply a patch from the vendor


Microsoft, Inc. has published Microsoft Security Bulletin MS04-011 in response to this issue. Users are strongly encouraged to review this bulletin and apply the patches it refers to.

Workarounds


Microsoft lists the following workaround in MS04-011:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

      • Block ports 443 and 636 at the firewall
    Port 443 is used to receive SSL traffic. Port 636 is used for LDAP SSL connections (LDAPS). Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. Other ports may be found that could be used to exploit this vulnerability. However, the ports listed here are the most common attack vectors. Microsoft recommends blocking all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.

    Impact of Workaround: If ports 443 or 636 are blocked, the affected systems can no longer accept external connections using SSL or LDAPS.

Vendor Information

150236
 
Affected   Unknown   Unaffected

Microsoft Corporation

Updated:  April 14, 2004

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Microsoft, Inc. has published Microsoft Security Bulletin MS04-011 in response to this issue. Users are strongly encouraged to review this bulletin and apply the patches it refers to.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Microsoft Security for reporting this vulnerability. Microsoft, in turn, credits John Lampe of Tenable Network Security for reporting this issue to them.

This document was written by Chad R Dougherty based on information provided in Microsoft Security Bulletin MS04-011

Other Information

CVE IDs: CVE-2004-0120
Severity Metric: 6.48
Date Public: 2004-04-13
Date First Published: 2004-04-14
Date Last Updated: 2004-04-14 15:47 UTC
Document Revision: 4

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.