From xforce@iss.net Wed Aug 11 04:20:03 1999 From: X-Force Resent-From: mea culpa To: alert@iss.net Resent-To: jericho@attrition.org Cc: X-Force Date: Mon, 9 Aug 1999 11:31:33 -0400 (EDT) Subject: ISSalert: ISS Security Advisory: Denial of Service Attack Against Windows NT Terminal Server TO UNSUBSCRIBE: email "unsubscribe alert" in the body of your message to majordomo@iss.net Contact alert-owner@iss.net for help with any problems! --------------------------------------------------------------------------- -----BEGIN PGP SIGNED MESSAGE----- ISS Security Advisory August 9, 1999 Denial of Service Attack Against Windows NT Terminal Server Synopsis: The ISS X-Force has discovered a denial of service attack against Windows NT Server 4.0, Terminal Server Edition. This vulnerability allows a remote attacker to quickly consume all available memory on a Windows NT Terminal Server, causing a significant disruption for users currently logged into the terminal server, and preventing any new terminal connections from being successfully completed. Recommended Action: Network administrators can protect internal systems from external attack by creating a packet filter of the form: - Prevent all incoming packets destined for TCP port 3389 If you have a legitimate need for terminal server connections to be made from outside your network, you should limit access to TCP port 3389 to only the external IP addresses or networks that have a legitimate reason to connect. The fix for this problem is available at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40tse/hotfixes - - -postSP4/Flood-fix/ The Microsoft bulletin describing this issue is available at http://www.microsoft.com/security/bulletins/ms99-028.asp. Description: Windows NT Server 4.0 Terminal Server Edition listens for terminal connections on TCP port 3389. Once a TCP connection is made to this port, the terminal server will utilize resources in order to handle the new client connection and authenticate the connection. The manner this is done, however, requires significant server resources before any authentication takes place and without any throttling of resource utilization. Specifically, a remote attacker can quickly cause a server to reach full memory utilization by creating a large number of normal TCP connections to port 3389. Individual connections will timeout, but a low bandwidth continuous attack will maintain a terminal server at maximum memory utilization and prevent new connections from a legitimate source from taking place. Legitimate new connections will fail at this point with an error of either a connection timeout, or the terminal server has ended the connection. In testing, a long running attack of this type has been able to sporadically crash the terminal server executable and permanently maintain the machine at full memory usage without allowing any new terminal server connections until the machine was rebooted. Additional Information: This vulnerability was primarily researched by David J. Meltzer of the ISS X-Force. ________ About ISS: ISS leads the market as the source for e-business risk management solutions, serving as a trusted security provider to thousands of organizations including 21 of the 25 largest U.S. commercial banks and more than 35 government agencies. With its Adaptive Security Management approach, ISS empowers organizations to measure and manage enterprise security risks within Intranet, extranet and electronic commerce environments. Its award-winning SAFEsuite(r) product line of intrusion detection, vulnerability management and decision support solutions are vital for protection in today's world of global connectivity, enabling organizations to proactively monitor, detect and respond to security risks. Founded in 1994, ISS is headquartered in Atlanta, GA with additional offices throughout the U.S. and international operations in Australia/New Zealand, Belgium, France, Germany, Japan, Latin America and the UK. For more information, visit the ISS Web site at www.iss.net or call 800-776-2362. Copyright (c) 1999 by Internet Security Systems, Inc. Permission is hereby granted for the redistribution of this Alert electronically. It is not to be edited in any way without express consent of the X-Force. If you wish to reprint the whole or any part of this Alert in any other medium excluding electronic medium, please e-mail xforce@iss.net forpermission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. X-Force PGP Key available at: http://xforce.iss.net/sensitive.php3 as well as on MIT's PGP key server and PGP.com's key server. Please send suggestions, updates, and comments to: X-Force xforce@iss.net of Internet Security Systems, Inc. -----BEGIN PGP SIGNATURE----- Version: 2.6.3a Charset: noconv iQCVAwUBN67ziDRfJiV99eG9AQFDggP+N4t+n/UhAxGiBRJDGxjFeJSgfbjbDMd7 m6BVFhe4RSDsmLbKoHnK+8J9bM5RoiWMiY6pMe2YUcfQfRySwz3nfmnzpxXjoUmv Tv7aWiSvqcc6OVHS7/7tKMzxL49g/6PFPUVqRDhkKrrWbdhTW9uKejn77OfY9l2r 8ckrqQ4k3l4= =4Kwx -----END PGP SIGNATURE-----