Securify bulletin: Microsoft Active Directory Denial-of-service
SECURIFY Bulletin: Active Directory Denial-of-service
=====================================================
I. SUMMARY:
SECURIFY has discovered a denial-of-service vulnerability in Microsoft
Active Directory (AD) in which a domain user sending a specially-crafted
LDAP request causes the Active Directory server to initiate a controlled
restart. Specific products and versions affected and the hotfixes for
them are detailed in Microsoft Security Bulletin MS08-035 (953235).
This vulnerability has been assigned CVE-2008-1445.
II. SYMPTOMS:
After receiving the LDAP request, the AD server returns a partial list
of the requested data to the client. After an additional minute or so,
the Windows initiates a controlled restart with a 60-second countdown
timer. The shutdown dialog box displays status code -1073741819.
After restarting, errors similar to the following are found in the
application event log:
Type: Error
Source: Application Error
Category: (100)
Event ID: 1000
Description: Faulting application lsass.exe, version <version>,
faulting module authz.dll, version <version>, fault address
0x00001d8f
Type: Error
Source: Winlogon
Category: None
Event ID: 1015
Description: A critical system process,
C:\Windows\system32\lsass.exe,
failed with status code c0000005. The machine must now be
restarted.
Type: Information
Source: Application Error
Category: (100)
Event ID: 1004
Description: Reporting queued error:
Faulting application lsass.exe, version <version>,
faulting module authz.dll, version <version>, fault address
0x00001d8f
Errors similar to the following are recorded in the Directory Service
event log:
Type: Error
Source: NTDS General
Category: Internal Processing
Event ID: 1168
Description: Internal error: An Active Directory error has occurred.
Additional Data:
Error value (decimal): 8411
Error value (hex): 20db
Internal ID: 3151e4a
Type: Warning
Source: NTDS General
Category: Internal Processing
Event ID: 1173
Description: Internal event: Active Directory has encountered the
following
exception and associated parameters:
Exception: c0000005
Parameter: 0
Additional Data:
Error value: 76c41d8f
Internal ID: 0
III. SOLUTION:
Apply the hotfix referenced in the Microsoft bulletin.
IV. WORKAROUNDS:
Block TCP ports 389 and 3268 to your Active Directory server from
untrusted sources.
V. ADDITIONAL DETAILS:
The special LDAP request that triggered the restart was a byproduct of
internal development work and was provided to Microsoft immediately upon
discovery. No further research into this vulnerability has been
conducted by SECURIFY.
VI. TIMELINE:
2007-12-08 Initial contact and response from Microsoft PSS
2007-12-27 Initial contact attempt to Microsoft Security Response
Center
2008-01-08 Second contact attempt to Microsoft Security Response
Center
2008-02-11 Initial response from Microsoft Security Response Center
2008-06-10 Hotfix made publicly available by Microsoft
VII. REFERENCES:
Microsoft Security Bulletin MS08-035 (953235)
(http://www.microsoft.com)
CVE-2008-1445 (http://cve.mitre.org/)
VIII. CREDIT:
John Guzik, SECURIFY, INC
Alex Matthews, SECURIFY, INC
IX. About SECURIFY:
http://www.securify.com/
Securify's identity-driven, network-based approach leverages existing
infrastructures to deliver a cost-effective way to discover and control
access and behavior broadly across networks as well as systems.