HOME > VULNERABILITY NOTES


   VULNERABILITY NOTES

CERT-In Vulnerability Note CIVN-2006-48
Microsoft Windows RRAS Memory and Registry Corruption Vulnerability

Original issue date: June 14, 2006

Severity Rating: High

Systems Affected

  • Microsoft Windows 2000 Service Pack 4
  • Microsoft Windows XP Service Pack 1 & Service Pack 2
  • Microsoft Windows XP Professional x64 Edition
  • Microsoft Windows Server 2003 Service Pack 1
  • Microsoft Windows Server 2003 (Itanium)
  • Microsoft Windows Server 2003 with SP1 (Itanium)
  • Microsoft Windows Server 2003 x64 Edition

Overview

RRAS enables a computer to function as a network router. RRAS also provides the next generation of server functionality for the Remote Access Service (RAS) for Windows. The Remote Access Service facilitates connections to remote computers over phone lines enabling activities such as email, fax, file retrival and printing. The Remote Access Service is a native service in Windows 2000, Windows XP and Windows Server 2003.

Two vulnerabilities have been reported in Routing and Remote Access service (RRAS) and Remote Access Connection Manager service (RASMAN) which could be exploited by remote attackers to take complete control of the affected system.

Description

1)  Routing and Remote Access service (RRAS) buffer overflow Vulnerabilty. (CVE-2006-2370)

A vulnerability has been reported in Routing and Remote Access service (RRAS) in Microsoft Windows due to buffer overflow error while handling some malformed requests from a user. Successful exploitation of this vulnerability could allow an attacker to take complete control of the affected system.

2)  Remote Access Connection Manager service (RASMAN) registry corruption vulnerability .(CVE-2006-2371)

A buffer overflow vulnerability has been reported in Remote Access Connection Manager service (RASMAN) in Microsoft Windows. A remote attacker could exploit this vulnerability by making specially crafted RPC requests which could lead to registry corruption. Successful exploitation of this vulnerability could allow an attacker to take complete control of the affected system.

It may be noted that on Windows XP Service Pack 2 and Windows Server 2003 systems, an attacker must have valid logon credentials and be able to log on locally to exploit these vulnerabilities .

Workarounds:

•  Disable the Remote Access Connection Manager service if not required
•  Block the following at the firewall
•  UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
•  All unsolicited inbound traffic on ports greater than 1024
•  Any other specifically configured RPC port
•  Use a personal firewall.
•  Enable advanced TCP/IP filtering on systems that support this feature.
•  Block the affected ports by using IPSec on the affected systems.

For detailed steps of these workarounds refer to Microsoft Security Bulletin MS06-025

Solution

Apply appropriate patches as mentioned in Microsoft Security Bulletin MS06-025 .

Vendor Information

Microsoft
Microsoft Security Bulletin MS06-025

References

US-CERT
http://www.kb.cert.org/vuls/id/814644

FrSIRT
http://www.frsirt.com/english/advisories/2006/2323

Security Focus
http://www.securityfocus.com/archive/1/436977
http://www.securityfocus.com/bid/18358
http://www.securityfocus.com/bid/18325

CVE Name
CVE-2006-2370
 CVE-2006-2371

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address

Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003