A recently discovered flaw can result in a denial of service attack on all Windows 2000 domain controllers. The DoS attack would deny new users access to network services, as well as potentially affecting some users already logged on to the network. This problem can only be fixed with a patch.

To initiate the attack, someone would send a series of malformed requests to Windows 2000 domain controller. These requests would tie up the machine’s memory and eventually bring the domain controller to a halt, preventing it from issuing new Kerberos tickets.

Level of risk—moderate
Although this can be a serious threat, there are several mitigating factors that can reduce the danger it poses. The most important factor is that if you follow standard security practices in setting up a firewall, any attack from the Internet using the malformed requests meant for a domain controller will be blocked by the firewall so the server will be vulnerable to this attack only from inside the network.

If this attack does hit a domain controller, rebooting the system will make it available again since there is no payload carried over by the malformed requests.

Probably the most vulnerable targets for these attacks are small installations because of the limited number of domain controllers and the limited security resources. In large installations where there is usually strong security and multiple domain controllers, any attack on one DC would result in the other DCs taking over the load for the one under attack.

Applicability
Windows 2000 Server, Windows 2000 Advanced Server, and Windows 2000 Datacenter Server are all affected by this vulnerability.

Fix
Since the vulnerability exists in a core service on all Windows 2000 domain controllers, it can’t be disabled without taking the domain controller offline and applying the Microsoft patch. For Windows 2000 Server and Advanced Server, the patch is available from Microsoft.

Users of Microsoft Windows 2000 Datacenter Server should contact their OEM because the patches are hardware-specific.

Further information
This vulnerability is caused by a fault known as a memory leak, which results in memory being filled up by the attack so it isn’t available to users. Memory is allocated to this specific process in the normal manner, but the malformed request causes the process to fail to release the segment of memory when it is finished. This is a fault in the way the software deals with requests and can quickly fill up memory with old processes piled one on the other, never properly completing their task by relinquishing the memory it was using.

Since the memory is filling up on a domain controller and will mostly slow or block authorization to new users, it might be awhile before the system administrator discovers the attack.

Because Windows 2000 uses Kerberos for the default authentication protocol, the many systems relying on Kerberos will be slow to suffer damage from this vulnerability because of the way Kerberos issues reusable tickets to authenticated users rather than authorizing each network resource. Once the ticket is issued, the domain server often won’t be involved unless the ticket expires. In fact, users already on the system might not experience any difficulty, so the attack may be that much more difficult to detect in its early stages.

Since the vulnerability exists in a core service, there is no workaround and no way to disable a single service and still keep the domain controller online. Installing the patch is the only option if you feel your system is likely to be attacked from inside or has a weak firewall configuration that could allow outsiders to initiate the attack on your domain controllers.

At a minimum, you should check to see that TCP ports 88 and 464 are blocked at the firewall. That should be enough to protect against outsiders taking advantage of this vulnerability, but systems will still be vulnerable to internal attacks.

The patch, which supersedes the patch supplied with Microsoft Security Bulletin MS01-011, is relatively basic because it only causes the affected service to ignore the invalid request. Microsoft Security Bulletin MS01-024 covers this DoS threat in detail.

Do you plan to install this patch on your Win2K domain controllers?

We look forward to getting your input and hearing about your experiences regarding this topic. Join the discussion below or send the editor an e-mail.