News

New DoS Vulnerability Emerges in W2K, NT4

• By Stephen Swoyer
• 08/15/2001

The software giant claims that .the latest vulnerability is comparatively limited in scope, however, because it affects only Windows NT 4.0 and Windows 2000 Server systems running the Network News Transport Protocol (NNTP) server component of Microsoft’s IIS 4.0 and IIS 5.0 products.

NNTP must be manually selected and installed by means of the Windows NT 4.0 Option Pack on Windows NT systems. On Windows 2000 systems, however, it’s installed by default with IIS 5.0.

According to a bulletin which Microsoft Tuesday night dispatched to the subscribers of its “Security” mailing list, the NNTP server component that ships with IIS 4.0 and IIS 5.0 contains a memory leak in a routine that processes new posts.

Microsoft says the vulnerability can be exploited in a DoS attack by means of malformed NNTP posts. Each time the NNTP server processes a post that contains a malformed construction, Microsoft says, a Windows NT 4.0 or Windows 2000 system’s overall resources are correspondingly depleted.

The software giant acknowledges that it’s possible to deplete server resources to such an extent that other services and applications residing on the same system could be affected, as well. In a worst case scenario, it allows, an attacked server could stop responding altogether.

Microsoft says that the NNTP service must first be configured to accept new posts if a DoS attack is to be successfully perpetrated. In this respect, Windows NT 4.0 and Windows 2000 systems that have NNTP installed but which haven’t been configured to allow posting are not vulnerable to attack.

Exchange 2000 Affected?

Microsoft Tuesday night claimed that only Windows NT 4.0 and Windows 2000 systems running IIS and supporting NNTP are affected by this latest vulnerability.

At least one observer suggests that Exchange 2000 installations – which also require the installation of IIS 5.0’s NNTP component – could increase the vulnerability of a Windows 2000 Server.

Contrary to default installs of IIS 4.0 and IIS 5.0 – in which NNTP is not configured by default – Exchange 2000 supports a default NNTP configuration. Microsoft warned that only NNTP servers which are configured to accept posts are affected by this latest vulnerability.

“The bulletin doesn’t say anything about whether Exchange 2000 is affected, but it stands to reason that it is,” notes Edward Ko, an Exchange 2000 administrator and network coordinator with the Pennsylvania State University. “If you install Exchange 2000 and if you don’t specifically stop the NNTP virtual service, it [the NNTP service] will accept posts in a few default groups.”

On the other hand, Ko says, because Exchange 2000 extends the base capabilities of IIS 5.0’s native NNTP services, it could also be immune to the new DoS vulnerability. He cites the case of a relaying vulnerability that was discovered last month in IIS’ SMTP server component and which affected only Windows NT 4.0 and Windows 2000 systems. “Exchange 2000 boxes were protected against that one because [Exchange] enhances IIS’ [native] SMTP services,” Ko says.

Microsoft did not immediately respond to a request for comment.