HOME > VULNERABILITY NOTES


   VULNERABILITY NOTE

 

CERT-In Vulnerability Note CIVN-2009-70
Multiple Vulnerabilities in Microsoft Windows Active Directory components

Original Issue Date:June 11, 2009

Severity Rating: High

Systems Affected

Installed with Active Directory

  • Microsoft Windows 2000 Server Service Pack 4
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2

Installed with Active Directory Application Mode (ADAM)

  • Windows XP Professional Service Pack 2 and Windows XP Professional Service Pack 3
  • Windows XP Professional x64 Edition Service Pack 2
  • Windows Server 2003 Service Pack 2
  • Windows Server 2003 x64 Edition Service Pack 2
  • Windows Server 2003 with SP2 for Itanium-based Systems

Overview

Multiple vulnerabilities have been reported in Microsoft Windows Active Directory components. Successful exploitation of these vulnerabilities could allow an attacker to execute an arbitrary code and take complete control of the affected system or cause the affected server to stop responding.

Description

Active Directory provides central authentication and authorization services for Windows-based computers.

ADAM is a Lightweight Directory Access Protocol (LDAP) directory service that runs as a user service, rather than as a system service. It is a new mode of Active Directory that is designed specifically for directory-enabled applications.

Lightweight Directory Access Protocol (LDAP) is an open network protocol standard designed to provide access to distributed directories.

By default, LDAP traffic is transmitted unsecured. However, it is possible to make LDAP traffic confidential and protect it from modification by using Secure Sockets Layer (SSL) / Transport Layer Security (TLS) technology and installing a properly formatted certificate. This implementation is known as LDAP over SSL (LDAPS).

An OID or Object Identifier is used to name an LDAP object. An LDAP query can contain a filter to select data from an LDAP namespace that matches a specific OID only.

1. Active Directory Invalid Free Vulnerability (CVE-2009-1138)

This is a remote code execution vulnerability and is caused due to invalid memory free operations as the result of processing a malformed LDAP or LDAPS request.

An attacker could exploit this vulnerability by sending a malicious LDAP or LDAPS request to an Active Directory service. The processing of the request could cause the service to free memory areas unexpectedly, causing memory corruption. The attacker could leverage the memory corruption to execute arbitrary code with the elevated privileges of the Active Directory service, which typically runs as the ‘LocalSystem' service account. Thereby, take complete control of an affected system.

2. Active Directory Memory Leak Vulnerability (CVE-2009-1139)

This is a denial of service (DoS) vulnerability and is caused due to errors in memory management when processing LDAP or LDAPS requests. Active Directory services may not properly free memory areas after use when handling LDAP or LDAPS requests containing object identifier filters. As a result, the services may cause a memory leak, consuming all available system memory.

An attacker could exploit this vulnerability by sending a series of LDAP or LDAPS requests to the affected system designed to cause Active Directory to consume available memory resources on the system, resulting in a DoS condition.

Solution

Apply appropriate updates as mentioned in the Microsoft Security Bulletin MS09-018

Workarounds

  • Block TCP ports 389, 636, 3268 and 3269 at the firewall
  • Disable anonymous LDAP access on Microsoft Windows 2000 servers

Vendor Information

Microsoft
http://www.microsoft.com/technet/security/bulletin/ms09-018.mspx


References

Secunia
http://secunia.com/advisories/35355/

Security Tracker
http://www.securitytracker.com/alerts/2009/Jun/1022349.html

SecurityFocus
http://www.securityfocus.com/bid/35225
http://www.securityfocus.com/bid/35226

Cisco
http://tools.cisco.com/security/center/viewAlert.x?alertId=18399
http://tools.cisco.com/security/center/viewAlert.x?alertId=18400

VUPEN
http://www.vupen.com/english/advisories/2009/1537

CVE Name
CVE-2009-1138
CVE-2009-1139

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003