1. /
  2. Security Response/
  3. Microsoft Windows Workstation Service Remote Buffer Overflow Vulnerability

Microsoft Windows Workstation Service Remote Buffer Overflow Vulnerability

Risk

High

Date Discovered

November 11, 2003

Description

It has been reported that Microsoft Windows Workstation (WKSSVC.DLL) service is prone to a vulnerability that may allow a remote attacker to gain unauthorized access to a vulnerable host. The problem is in the handling of requests by the Workstation Service. The Workstation Service does not properly check bounds on remote data therefore making it possible to overwrite sensitive regions of system memory.

Technologies Affected

  • Cisco Broadband Troubleshooter
  • Cisco Building BroadBand Services Manager Hotspot 1.0.0
  • Cisco Building Broadband Service Manager 2.5.1
  • Cisco Building Broadband Service Manager 3.0.0
  • Cisco Building Broadband Service Manager 4.0.1
  • Cisco Building Broadband Service Manager 4.2.0
  • Cisco Building Broadband Service Manager 4.3.0
  • Cisco Building Broadband Service Manager 4.4.0
  • Cisco Building Broadband Service Manager 4.5.0
  • Cisco Building Broadband Service Manager 5.0.0
  • Cisco Building Broadband Service Manager 5.1.0
  • Cisco Call Manager
  • Cisco Call Manager 1.0.0
  • Cisco Call Manager 2.0.0
  • Cisco Call Manager 3.0.0
  • Cisco Call Manager 3.1.0
  • Cisco Call Manager 3.1.0 (2)
  • Cisco Call Manager 3.1.0 (3a)
  • Cisco Call Manager 3.2.0
  • Cisco Call Manager 3.3.0
  • Cisco Call Manager 3.3.0 (3)
  • Cisco Call Manager 4.0.0
  • Cisco CiscoWorks VPN/Security Management Solution
  • Cisco Collaboration Server
  • Cisco Conference Connection
  • Cisco Conference Connection 1.1.0 (1)
  • Cisco Conference Connection 1.2.0
  • Cisco Customer Response Application Server
  • Cisco DOCSIS CPE Configurator
  • Cisco Dynamic Content Adapter
  • Cisco E-Mail Manager
  • Cisco IP Call Center Express (IPCC Express) Enhanced 3.0.0
  • Cisco IP Call Center Express (IPCC Express) Standard 3.0.0
  • Cisco IP Telephony Environment Monitor
  • Cisco IP/TV Server
  • Cisco IP/VC 3540 Application Server
  • Cisco IP/VC 3540 Video Rate Matching Module
  • Cisco Intelligent Contact Manager
  • Cisco Intelligent Contact Manager 5.0.0
  • Cisco Internet Service Node
  • Cisco Lan Management Solution
  • Cisco Media Blender
  • Cisco Network Registar
  • Cisco Networking Services for Active Directory
  • Cisco Personal Assistant
  • Cisco Personal Assistant 1.3.0 (1)
  • Cisco Personal Assistant 1.3.0 (2)
  • Cisco Personal Assistant 1.3.0 (3)
  • Cisco Personal Assistant 1.3.0 (4)
  • Cisco Personal Assistant 1.4.0 (1)
  • Cisco Personal Assistant 1.4.0 (2)
  • Cisco QoS Policy Manager
  • Cisco Routed Wan Management
  • Cisco SN 5420 Storage Router 1.1.0 (2)
  • Cisco SN 5420 Storage Router 1.1.0 (3)
  • Cisco SN 5420 Storage Router 1.1.0 (4)
  • Cisco SN 5420 Storage Router 1.1.0 (5)
  • Cisco SN 5420 Storage Router 1.1.0 (7)
  • Cisco SN 5420 Storage Router 1.1.3
  • Cisco SN 5428 Storage Router SN5428-2-3.3.1-K9
  • Cisco SN 5428 Storage Router SN5428-2-3.3.2-K9
  • Cisco SN 5428 Storage Router SN5428-2.5.1-K9
  • Cisco SN 5428 Storage Router SN5428-3.2.1-K9
  • Cisco SN 5428 Storage Router SN5428-3.2.2-K9
  • Cisco SN 5428 Storage Router SN5428-3.3.1-K9
  • Cisco SN 5428 Storage Router SN5428-3.3.2-K9
  • Cisco Secure Access Control Server
  • Cisco Secure Access Control Server 3.2.0 (1.20)
  • Cisco Secure Access Control Server 3.2.1
  • Cisco Secure Access Control Server 3.2.2
  • Cisco Secure Policy Manager 3.0.1
  • Cisco Secure Scanner
  • Cisco Service Management
  • Cisco Small Network Management Solution
  • Cisco Trailhead
  • Cisco Transport Manager
  • Cisco Unity Server
  • Cisco Unity Server 2.0.0
  • Cisco Unity Server 2.1.0
  • Cisco Unity Server 2.2.0
  • Cisco Unity Server 2.3.0
  • Cisco Unity Server 2.4.0
  • Cisco Unity Server 2.46.0
  • Cisco Unity Server 3.0.0
  • Cisco Unity Server 3.1.0
  • Cisco Unity Server 3.2.0
  • Cisco Unity Server 3.3.0
  • Cisco Unity Server 4.0.0
  • Cisco User Registration Tool
  • Cisco Voice Manager
  • Cisco uOne Enterprise Edition
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Advanced Server SP1
  • Microsoft Windows 2000 Advanced Server SP2
  • Microsoft Windows 2000 Advanced Server SP3
  • Microsoft Windows 2000 Advanced Server SP4
  • Microsoft Windows 2000 Datacenter Server
  • Microsoft Windows 2000 Datacenter Server SP1
  • Microsoft Windows 2000 Datacenter Server SP2
  • Microsoft Windows 2000 Datacenter Server SP3
  • Microsoft Windows 2000 Datacenter Server SP4
  • Microsoft Windows 2000 Professional
  • Microsoft Windows 2000 Professional SP1
  • Microsoft Windows 2000 Professional SP2
  • Microsoft Windows 2000 Professional SP3
  • Microsoft Windows 2000 Professional SP4
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Server SP1
  • Microsoft Windows 2000 Server SP2
  • Microsoft Windows 2000 Server SP3
  • Microsoft Windows 2000 Server SP4
  • Microsoft Windows XP 64-bit Edition
  • Microsoft Windows XP 64-bit Edition SP1
  • Microsoft Windows XP Home
  • Microsoft Windows XP Home SP1
  • Microsoft Windows XP Media Center Edition
  • Microsoft Windows XP Professional
  • Microsoft Windows XP Professional SP1

Recommendations

Block external access at the network boundary, unless external parties require service.

Filter network traffic of questionable integrity at network boundaries. Use ingress and egress filtering to block the entry and exit of prohibited traffic. Since the service binds to a number of ports, including random ports over 1024, it is strongly encouraged that all ports that do not explicitly require remote access are filtered. Filter all traffic destined for internal broadcast addresses. Employ the use of a stateful inspection firewall or application proxy server to ensure that incoming UDP packets with source port 53 are in fact DNS packets and, of those, only expected replies to internally transmitted DNS queries are allowed in.

Deploy network intrusion detection systems to monitor network traffic for malicious activity.

Use network intrusion detection systems to monitor networks for anomalous activity and report attempted attacks against network resources.

Disable any services that are not needed.

Systems not requiring the ability of remote users to execute commands should disable remote procedure call (RPC) where possible.
Microsoft has released security advisory MS03-049 to address this issue. Users are strongly advised to obtain fixes, as new attacker vectors greatly increase the speed of an attack on a targeted network. Cisco has released a security advisory detailing affected Cisco products. See referenced advisory for details concerning obtaining fixes.

Credits

Vulnerability discovery credited to eEye Digital Security. Core Security Technologies has been credited with providing the updated information about the new attack vector of sending a single UDP packet to a broadcast address to exploit all vulnerable systems on a target network.
Copyright © Symantec Corporation.
Permission to redistribute this alert electronically is granted as long as it is not edited in any way unless authorized by Symantec Security Response. Reprinting the whole or part of this alert in any medium other than electronically requires permission from secure@symantec.com.

Disclaimer
The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information.
Symantec, Symantec products, Symantec Security Response, and secure@symantec.com are registered trademarks of Symantec Corp. and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.

Threat Intelligence

Subscribe
Follow the Threat Intelligence Twitter feed
STAR Antimalware Protection Technologies
Internet Security Threat Report
Symantec DeepSight Screensaver