INFORMATION BULLETIN
INFORMATION BULLETIN
| PROBLEM: | A remote code execution vulneraiblity exists in the way that Active Directory validates a LDAP request. An attacker who successfully exploited this vulnerability could take complete control of an affected system. |
| PLATFORM: | Microsoft Windows 2000 Server Service Pack 4 Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 Windows Server 2003 with SP1 for Intanium-based Systems and Windows Server 2003 with SP2 for Intanium-based Systems Storage Management Appliance v2.1 Software running on Storage Management Appliance I, II, III |
| DAMAGE: | Remote code execution. |
| SOLUTION: | Upgrade to the appropriate version. |
| VULNERABILITY ASSESSMENT: |
The risk is HIGH. An attacker who successfully exploited this vulnerability could take complete control of an affected system. |
| LINKS: | |
| CIAC BULLETIN: | http://www.ciac.org/ciac/bulletins/r-294.shtml |
| ORIGINAL BULLETIN: | http://www.microsoft.com/technet/security/Bulletin/MS07-039.mspx |
| ADDITIONAL LINK: | Visit Hewelett-Packard's Subscription Service for: HPSBST02243 SSRT071446 rev. 1 |
| CVE: | CVE-2007-0040 CVE-2007-3028 |
REVISION HISTORY:
07/13/2007 - revised R-294 to reflect changes Microsoft has made in MS07-039 where
they updated the bulletin to add FAQ section for ADAM dependencies and
deployment to all 2000 and 2003 systems.
07/27/2007 - revised R-294 to to add a link to Hewlett-Packard's Subscription
Service for HPSBST02243 SSRT071446 rev. 1 for Storage Management Appliance
v2.1 Software running on Storage Management Appliance I, II, III.
[***** Start Microsoft Security Bulletin (MS07-039) *****]
Version: 1.1
This critical security update resolves a privately reported vulnerability in implementations of Active Directory on Windows 2000 Server and Windows Server 2003 that could allow remote code execution or a denial of service condition. Attacks attempting to exploit this vulnerability would most likely result in a denial of service condition. However remote code execution could be possible. On Windows Server 2003 an attacker must have valid logon credentials to exploit this vulnerability. An attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts.
This is a critical security update for supported editions of Windows 2000 and an important security update for supported editions of Windows Server 2003. For more information, see the subsection, Affected and Non-Affected Software, in this section.
This security update addresses the vulnerability by validating the number of convertible attributes in the client LDAP request. For more information about the vulnerability, see the next section, Vulnerability Information.
Recommendation. Microsoft recommends that customers apply the update immediately.
Known Issues. None.
The following software have been tested to determine which editions are affected. Other versions or editions are either past their support life cycle or are not affected. To determine the support life cycle for your software version or edition, visit Microsoft Support Lifecycle.
Affected Software
| Operating System | Maximum Security Impact | Aggregate Severity Rating | Bulletins Replaced by This Update |
Remote Code Execution |
Critical |
None |
|
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 |
Remote Code Execution |
Important |
None |
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 |
Remote Code Execution |
Important |
None |
Remote Code Execution |
Important |
None |
Non-Affected Software
| Operating System |
Windows 2000 Professional Service Pack 4 |
Windows XP Service Pack 2 |
Windows XP Professional x64 Edition and Windows XP Professional x64 Edition Service Pack 2 |
Windows Vista |
Windows Vista x64 Edition |
Note: These editions of Windows are not affected because they do not include the Active Directory server component.
Vulnerability Information
| Vulnerability Severity Rating and Maximum Security Impact by Affected Software | |||
| Affected Software | Active Directory Remote Code Execution Vulnerability – CVE-2007-0040 | Active Directory Denial of Service Vulnerability – CVE- 2007-3028 | Aggregate Severity Rating |
Windows 2000 Server Service Pack 4 |
Critical Remote Code Execution |
Important Denial Of Service |
Critical |
Windows Server 2003 Service Pack 1 and Windows Server 2003 Service Pack 2 |
Important Remote Code Execution |
None |
Important |
Windows Server 2003 x64 Edition and Windows Server 2003 x64 Edition Service Pack 2 |
Important Remote Code Execution |
None |
Important |
Windows Server 2003 with SP1 for Itanium-based Systems and Windows Server 2003 with SP2 for Itanium-based Systems |
Important Remote Code Execution |
None |
Important |
A remote code execution vulnerability exists in the way that Active Directory validates a LDAP request. An attacker who successfully exploited this vulnerability could take complete control of an affected system.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-0040.
A denial of service vulnerability exists in the way that Microsoft Active Directory validates a client-sent LDAP request. An attacker could exploit the vulnerability by sending a specially crafted LDAP request to a server running Active Directory. An attacker who successfully exploited this vulnerability could cause the server to temporarily stop responding.
To view this vulnerability as a standard entry in the Common Vulnerabilities and Exposures list, see CVE-2007-3028.
Update Information
Detection and Deployment Tools and Guidance |
Affected Software
For information about the specific security update for your affected software, click the appropriate link:
* Windows 2000 Server (all editions)
* Windows Server 2003 (all editions)
Microsoft thanks the following for working with us to help protect customers:
| • | Peter Winter-Smith of NGSSoftware, for reporting the Windows Active Directory Denial of Service Vulnerability-CVE-2007-3028. |
| • | Neel Mehta of IBM Internet Security Systems x-Force, for reporting the Windows Active Directory Remote Code Execution Vulnerability-CVE-2007-0040. |
| • | Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates. |
| • | International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site. |
The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
| • | V1.0 (July 10, 2007): Bulletin published. V1.1 (July 12, 2007): Bulletin Revised: Updating bulletin to add FAQ section for ADAM dependencies and deployment to all 2000 and 2003 systems. |
[***** End Microsoft Security Bulletin (MS07-039) *****]
Voice: +1 866-941-2472 (7 x 24)
E-mail: doecirc@doecirc.energy.gov
World Wide Web: http://www.doecirc.energy.gov/