1. /
  2. Security Response/
  3. Microsoft Windows 2000 Domain Controller LDAP Denial Of Service Vulnerability

Microsoft Windows 2000 Domain Controller LDAP Denial Of Service Vulnerability

Risk

Medium

Date Discovered

April 13, 2004

Description

A denial of service vulnerability has been reported in Microsoft Windows 2000 Server systems that are acting as Domain Controllers. This issue may be triggered by sending a malformed LDAP query to an affected Windows 2000 Domain Controller. This will cause a reboot in the Domain Controller and may be exploited repeatedly to cause a persistent denial of service.

Technologies Affected

  • Avaya DefinityOne Media Servers
  • Avaya IP600 Media Servers
  • Avaya S3400 Message Application Server
  • Avaya S8100 Media Servers
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Datacenter Server SP1
  • Microsoft Windows 2000 Datacenter Server SP2
  • Microsoft Windows 2000 Datacenter Server SP3
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Professional SP1
  • Microsoft Windows 2000 Professional SP2
  • Microsoft Windows 2000 Professional SP3
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Server SP4

Recommendations

Block external access at the network boundary, unless external parties require service.

Use multiple layers of network access control to regulate external or untrusted network traffic. This will help to limit exposure to exploitation of this and other latent vulnerabilities. This includes blocking inbound connections to TCP ports 389, 636, 3368 and 3369.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.

Deploy network intrusion detection systems to monitor network traffic for anomalous or suspicious activity. This may help in detecting attack attempts or activity that is the result of successful exploitation of this or other latent vulnerabilities.
Avaya has released an advisory to announce that Avaya System Products shipping on Microsoft platforms are also affected by this vulnerability. Avaya advise that customers follow the Microsoft recommendations for the resolution of this issue. The aforementioned advisory can be viewed at the following location: http://support.avaya.com/japple/css/japple?temp.groupID=&temp.selectedFamily=128451&temp.selectedProduct=154235&temp.selectedBucket=126655&temp.feedbackState=askForFeedback&temp.documentID=161384&PAGE=avaya.css.CSSLvl1Detail&executeTransaction=avaya.css.UsageUpdate() Microsoft has released fixes to address this issue. US-CERT has released an advisory TA04-104A to address this and other issues. Please see the referenced advisory for more information.

Credits

Discovery is credited to Carlos Sarraute of Core Security Technologies.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Threat Intelligence

Subscribe
Follow the Threat Intelligence Twitter feed
STAR Antimalware Protection Technologies
Internet Security Threat Report, Volume 17
Symantec DeepSight Screensaver