Bugtraq mailing list archives
Microsoft Security Bulletin (MS00-067)
From: Microsoft Product Security <secnotif () MICROSOFT COM>
Date: Thu, 14 Sep 2000 18:58:13 -0700
The following is a Security Bulletin from the Microsoft Product Security Notification Service. Please do not reply to this message, as it was sent from an unattended mailbox. ******************************** -----BEGIN PGP SIGNED MESSAGE----- Microsoft Security Bulletin (MS00-067) - --------------------------------------- Patch Available for "Windows 2000 Telnet Client NTLM Authentication" Vulnerability Originally posted: September 14, 2000 Summary ======= Microsoft has released a patch that eliminates a security vulnerability in the telnet client that ships with Microsoft(r) Windows 2000. The vulnerability could, under certain circumstances, allow a malicious user to obtain cryptographically protected logon credentials from another user. Frequently asked questions regarding this vulnerability and the patch can be found at http://www.microsoft.com/technet/security/bulletin/fq00-067.asp Issue ===== Windows 2000 includes a telnet client capable of using NTLM authentication when connecting to a remote NTLM enabled telnet server. A vulnerability exists because the client will, by default, perform NTLM authentication when connecting to the remote telnet server. This could allow a malicious user to obtain another user's NTLM authentication credentials without the user's knowledge. A malicious user could exploit this behavior by creating a carefully-crafted HTML document that, when opened, could attempt to initiate a Telnet session to a rogue telnet server - automatically passing NTLM authentication credentials to the malicious server's owner. The malicious user could then use an offline brute force attack to derive the password or, with specialized tools, could submit a variant of these credentials in an attempt to access protected resources. This vulnerability would only provide the malicious user with the cryptographically protected NTLM authentication credentials of another user. It would not, by itself, allow a malicious user to gain control of another user's computer. In order to leverage the NTLM credentials (or subsequently cracked password), the malicious user would have to be able to remotely logon to the target system. However, best practices dictate that remote logon services be blocked at border devices, and if these practices were followed, they would prevent an attacker from using the credentials to logon to the target system. Best practices also strongly recommend that Windows 2000 users logon to their hosts with User level credentials, and if these practices were followed, they would prevent a malicious user from obtaining Administrator level NTLM credentials. Affected Software Versions ========================== - Microsoft Windows 2000 Patch Availability ================== - Microsoft Windows 2000: http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24319 Note: The above URL may not be accessible. If this is the case, please download the patch from the following URL: (this URL may be wrapped) http://download.microsoft.com/download/win2000platform/patch/q272743/n t5/en-us/q272743_w2k_sp2_x86_en.exe Note: This patch may be applied to both Windows 2000 (pre SP1) and Windows 2000 Service Pack 1 systems. Note: Additional security patches are available at the Microsoft Download Center More Information ================ Please see the following references for more information related to this issue. - Frequently Asked Questions: Microsoft Security Bulletin MS00-067 http://www.microsoft.com/technet/security/bulletin/fq00-067.asp - Microsoft Knowledge Base article Q272743 discusses this issue and will be available soon. - Microsoft TechNet Security web site http://www.microsoft.com/technet/security/default.asp Obtaining Support on this Issue =============================== This is a fully supported patch. Information on contacting Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp. Acknowledgments =============== Microsoft thanks DilDog of @Stake Inc. (www.atstake.com) for reporting this issue to us and working with us to protect customers. Revisions ========= September 14, 2000: Bulletin Created. - ----------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. (c) 2000 Microsoft Corporation. All rights reserved. Terms of use. -----BEGIN PGP SIGNATURE----- Version: PGP Personal Privacy 6.5.3 iQEVAwUBOcGCNI0ZSRQxA/UrAQHh6ggAreZ9ohezFbCfJqBOhoEfanhldUYTBtWB TgP6i8jW2fdac5tGKRB/0wUwJsv7/+OAgddj/QQbFSlZeSD3sRBwhPT60rs9R5a2 MpYynuw2KMKBELdv+Q3h+wPNx+ezfqrxzfM07gdqkR5vysPDvfnb3fS1vTNSlzrY P3uMKDMyIpvN+pKIzkFieSTiQnpi0UCzJEpcF61AeZavyDlUDdQwivmReLYqkmsa A/gZN2D6G6fxTrq0Y089XI84IKcilTe5I1vp5qN1uyTN4wu8Vl/0ZXT/RObiVJpu Oqzm6vK4oVsjZ8RgAmeJ0GjSwQCjTxNA9aOCO0ijquuB5yqaDiHV0g== =ymub -----END PGP SIGNATURE----- ******************************************************************* You have received this e-mail bulletin as a result of your registration to the Microsoft Product Security Notification Service. You may unsubscribe from this e-mail notification service at any time by sending an e-mail to MICROSOFT_SECURITY-SIGNOFF-REQUEST () ANNOUNCE MICROSOFT COM The subject line and message body are not used in processing the request, and can be anything you like. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. For more information on the Microsoft Security Notification Service please visit http://www.microsoft.com/technet/security/notify.asp. For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.
Current thread:
- Microsoft Security Bulletin (MS00-067) Microsoft Product Security (Sep 14)
- <Possible follow-ups>
- Microsoft Security Bulletin (MS00-067) Microsoft Product Security (Sep 22)