|CERT-In Vulnerability Note
Microsoft Windows Local Security Authority Subsystem Service LSASS Integer Underflow DDOS Vulnerability
Original Issue Date:October 15, 2009
Severity Rating: HIGH
- Microsoft Windows XP Service Pack 2 and Windows XP Service Pack 3*
- Microsoft Windows XP Professional x64 Edition Service Pack 2*
- Microsoft Windows Server 2003 Service Pack 2*
- Microsoft Windows Server 2003 x64 Edition Service Pack 2*
- Microsoft Windows Server 2003 with SP2 for Itanium-based Systems*
- Microsoft Windows Vista, Windows Vista Service Pack 1 and Service Pack 2
- Microsoft Windows Vista x64 Edition,
- Microsoft Windows Vista x64 Edition Service Pack 1 and Service Pack 2
- Microsoft Windows Server 2008 for 32-bit Systems and with Service Pack 2**
- Microsoft Windows Server 2008 for x64-based Systems and with Service Pack 2**
- Microsoft Windows Server 2008 for Itanium-based Systems and with Service Pack 2
- Microsoft Windows 7 for 32-bit Systems
- Microsoft Windows 7 for x64-based Systems
- Microsoft Windows Server 2008 R2 for x64-based Systems**
- Microsoft Windows Server 2008 R2 for Itanium-based Systems
A vulnerability has been reported in Microsoft Windows Local Security Authority Subsystem Service LSASS that could be exploited by a remote attacker to cause Denial of service.
The Local Security Authority Subsystem Service LSASS provides an interface for managing local security, domain authentication, and Active Directory service processes. It handles authentication for the client and for the server. The LSASS also contains features that are used to support Active Directory utilities.
Windows Challenge/Response (NT Lan Manager or NTLM) is the authentication protocol used on networks that include systems running the Windows operating system and on stand-alone systems. NTLM credentials are based on data obtained during the interactive logon process and consist of a domain name, a user name, and a one-way hash of the user's password. NTLM uses an encrypted challenge/response protocol to authenticate a user without sending the user's password over the network
An integer underflow Vulnerability exists in Microsoft Windows Local Security Authority Subsystem Service (LSASS ) due to improper handling of malformed packets during NTLM authentication. An attacker could exploit this vulnerability by creating specially crafted anonymous NTLM authentication frame requests that would cause a crash in the server-side LSASS service to stop responding and subsequently would restart the computer.
Apply appropriate patches as mentioned in Microsoft Security Bulletin
The information provided herein is on "as is" basis, without warranty of any kind.
Email: firstname.lastname@example.org Phone: +91-11-2436857
Indian Computer Emergency Response Team (CERT-In)
Ministry of Electronics and Information Technology
Government of India
6, CGO Complex, Lodhi Road,
New Delhi - 110 003