search menu icon-carat-right cmu-wordmark

CERT Coordination Center

Microsoft Windows Active Directory fails to handle long LDAP requests

Vulnerability Note VU#594108

Original Release Date: 2003-07-17 | Last Revised: 2003-07-23

Overview

A flaw has been discovered in the way that Microsoft's Active Directory service handles large LDAP requests. This flaw could result in a denial-of-service vulnerability.

Description

The directory services provided by Microsoft's Active Directory are based on the Lightweight Directory Access Protocol (LDAP). Active Directory objects can be stored and retrieved using standard LDAPv3 requests. Core Security Technologies has discovered a flaw in the way the Active Directory service handles long LDAP requests.

This flaw occurs when an LDAP search request with more than 700 logical qualifiers (e.g., "AND" or "OR") is sent to the server. Exploitation of the flaw reportedly results in a stack overflow and subsequent crash of the Local Security Authority Sub-System (Lsass.exe) service. The death of the Lsass.exe process forces a shutdown of the Windows host system, resulting in a denial of service for the affected server.

Impact

Remote attackers may be able to crash the Active Directory server. This can result in a serious denial-of-service condition since the Active Directory service necessarily resides on Windows domain controllers. Unavailability of the domain controllers may affect normal operations within the domain.

Solution

Microsoft has included a patch for this issue in Windows 2000 Service Pack 4. For additional information, users are encouraged to review the following Microsoft Knowledge Base Articles:

319709 - An Access Violation Occurs in Lsass Because of a Stack Overflow
260910 - How to Obtain the Latest Windows 2000 Service Pack

Workarounds

Block or restrict access to the Active Directory service (port 389/tcp) from untrusted networks such as the Internet. As a general rule, the CERT/CC recommends that sites block all types of network traffic from sources that are not explicitly required for normal operation.

Vendor Information

594108
 
Affected   Unknown   Unaffected

Microsoft Corporation

Notified:  July 14, 2003 Updated:  July 17, 2003

Status

  Vulnerable

Vendor Statement

No statement is currently available from the vendor regarding this vulnerability.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Microsoft has included a patch for this issue in Windows 2000 Service Pack 4. For additional information, users are encouraged to review the following Microsoft Knowledge Base Articles:


    319709 - An Access Violation Occurs in Lsass Because of a Stack Overflow
    260910 - How to Obtain the Latest Windows 2000 Service Pack

    If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base N/A N/A
Temporal N/A N/A
Environmental N/A

References

Credit

Thanks to Core Security Technologies for discovering, researching, and reporting this vulnerability.

This document was written by Chad R Dougherty.

Other Information

CVE IDs: CVE-2003-0507
Severity Metric: 13.10
Date Public: 2003-07-02
Date First Published: 2003-07-17
Date Last Updated: 2003-07-23 15:01 UTC
Document Revision: 18

Sponsored by the Department of Homeland Security Office of Cybersecurity and Communications.