Search This Blog

Wednesday, June 13, 2007

[NT] Vulnerability in the Windows Schannel Security Package Allows Code Execution (MS07-031)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

The SecuriTeam alerts list - Free, Accurate, Independent.

Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html


- - - - - - - - -

Vulnerability in the Windows Schannel Security Package Allows Code
Execution (MS07-031)
------------------------------------------------------------------------


SUMMARY

This critical security update resolves a privately reported vulnerability
in the Secure Channel (Schannel) security package in Windows. The Schannel
security package implements the Secure Sockets Layer (SSL) and Transport
Layer Security (TLS) Internet standard authentication protocols. This
vulnerability could allow remote code execution if a user viewed a
specially crafted Web page using an Internet Web browser or used an
application that makes use of SSL/TLS. However, attempts to exploit this
vulnerability would most likely result in the Internet Web browser or
application exiting. The system would not be able to connect to Web sites
or resources using SSL or TLS until a restart of the system.

This is a critical security update for supported editions of Windows XP,
important for editions of Windows 2003, and moderate for editions of
Windows 2000. For more information, see the subsection, Affected and
Non-Affected Software, in this section.

This security update addresses the vulnerability by modifying the way that
the client parses server-key exchange data sent from the server. For more
information about the vulnerability, see the Frequently Asked Questions
(FAQ) subsection for the specific vulnerability entry under the next
section, Vulnerability Information.

DETAILS

Affected Software:
*
<http://www.microsoft.com/downloads/details.aspx?FamilyId=5b8e728c-cb9f-4176-93a0-bf42d6387f93> Windows 2000 Service Pack 4 - Denial of Service - Moderate
*
<http://www.microsoft.com/downloads/details.aspx?FamilyId=8615e6f3-415b-4c23-ba52-7eef70a11d77> Windows XP Service Pack 2 - Remote Code Execution - Critical
*
<http://www.microsoft.com/downloads/details.aspx?FamilyId=7e994340-c616-4f66-845b-7eaf095e968a> Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 - Remote Code Execution - Critical
*
<http://www.microsoft.com/downloads/details.aspx?FamilyId=39e6c6d2-7e6f-4992-a731-36f44fe2d87f> Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 - Denial of Service - Important
*
<http://www.microsoft.com/downloads/details.aspx?FamilyId=da424772-079c-4351-9759-8886e0f1ba79> Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 - Denial of Service - Important
*
<http://www.microsoft.com/downloads/details.aspx?FamilyId=028592ff-2b69-472e-b186-bd2cc76bdfa4> Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems - Denial of Service - Important

Vulnerability in the Windows Schannel Security Package - CVE-2007-2218
A remote code execution vulnerability exists in the way that Windows
Schannel on a client machine validates server-sent digital signatures. An
attacker could host a specially crafted Web site that is designed to
exploit these vulnerabilities through an Internet Web browser and then
convince a user to view the Web site. In all cases, however, an attacker
would have no way to force users to visit these Web sites. Instead, an
attacker would have to convince users to visit the Web site, typically by
getting them to click a link in an e-mail message or in an Instant
Messenger message that takes users to the attacker's Web site.

To view this vulnerability as a standard entry in the Common
Vulnerabilities and Exposures list, see
<http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2218>
CVE-2007-2218.

Mitigating Factors for Vulnerability in the Windows Schannel Security
Package - CVE-2007-2218
Mitigation refers to a setting, common configuration, or general
best-practice, existing in a default state, that could reduce the severity
of exploitation of a vulnerability. The following mitigating factors may
be helpful in your situation:

* In a Web-based attack scenario, an attacker could host a Web site that
contains a Web page that is used to exploit this vulnerability. In
addition, Web sites that accept or host user-provided content or
advertisements could contain specially crafted content that could exploit
this vulnerability. In all cases, however, an attacker would have no way
to force users to visit these Web sites. Instead, an attacker would have
to convince users to visit the Web site, typically by getting them to
click a link in an e-mail message or Instant Messenger message that takes
users to the attacker's Web site.

* Attempts to exploit this vulnerability will most probably result in a
Denial of Service condition caused by an unexpected restart of the
affected system rather than Remote Code Execution. On Windows 2000, the
denial of service condition is limited to existing and new SSL and TLS
connections whereas the system would still be available otherwise. On
Windows Server 2003, a successful attack would cause the system to
restart.

FAQ for Vulnerability in the Windows Schannel Security Package -
CVE-2007-2218
What is the scope of the vulnerability?
On Windows XP, this is a remote code execution vulnerability. An attacker
who successfully exploited this vulnerability could remotely take complete
control of an affected system. An attacker could then install programs;
view, change, or delete data; or create new accounts with full user
rights. Attempts to exploit this vulnerability will most probably result
in a denial of service condition rather than remote code execution.

On Windows 2000 this vulnerability could cause the affected system to stop
accepting SSL and TLS connections. The system would not be able to connect
to Web sites or resources using SSL or TLS until a restart of the system.

On Windows 2003, the vulnerability could cause the affected system to
automatically restart.

This vulnerability would not allow an attacker to execute code or to
elevate their user rights directly on Windows 2000 and Windows 2003.

What causes the vulnerability?
Schannel performs insufficient checks for specially crafted server-sent
digital signatures during the SSL handshake.

What is Schannel?
The Secure Channel (Schannel) security package is a Security Support
Provider (SSP) that implements the Secure Sockets Layer (SSL) and
Transport Layer Security (TLS) Internet standard authentication protocols.
Schannel is part of the security package that provides an authentication
service to provide secure communications between client and server. For
more information about Schannel, visit the following MSDN Web site.

What might an attacker use the vulnerability to do?
An attacker who successfully exploited this vulnerability could take
complete control of the affected system on Windows XP editions. However,
attempts to exploit this vulnerability would most likely result in an
Internet Web browser or application using SSL/TLS to exit. The system
would not be able to connect to Web sites or resources using SSL or TLS
until a restart of the system. On Windows 2000 editions and Windows 2003
editions attempts to exploit this vulnerability would result in a denial
of service condition.

How could an attacker exploit the vulnerability?
An attacker could host a specially crafted Web site that is designed to
exploit this vulnerability through an Internet Web browser and then
convince a user to view the Web site. The processing of this specially
crafted server-sent digital signature causes any application that uses
this API to exit, and also disables the SSL protocol until the next system
restart. In all cases, however, an attacker would have no way to force
users to visit these Web sites. Instead, an attacker would have to
convince users to visit the Web site, typically by getting them to click a
link in an e-mail message or in an Instant Messenger request that takes
users to the attacker's Web site.

What systems are primarily at risk from the vulnerability?
This vulnerability requires that a user is logged on and visits a Web site
for any malicious action to occur. Therefore, any systems where an
Internet Web browser or applications that use SSL or TLS is used
frequently, such as workstations or terminal servers, are at the most risk
from this vulnerability.

What does the update do?
The update removes the vulnerability by modifying the way that the client
parses server-key exchange data sent from the server.

When this security bulletin was issued, had this vulnerability been
publicly disclosed?
No. Microsoft received information about this vulnerability through
responsible disclosure.

When this security bulletin was issued, had Microsoft received any reports
that this vulnerability was being exploited?
No. Microsoft had not received any information to indicate that this
vulnerability had been publicly used to attack customers and had not seen
any examples of proof of concept code published when this security
bulletin was originally issued.


ADDITIONAL INFORMATION

The information has been provided by Microsoft Product Security.
The original article can be found at:
<http://www.microsoft.com/technet/security/Bulletin/MS07-031.mspx>

http://www.microsoft.com/technet/security/Bulletin/MS07-031.mspx

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

No comments: