What's the scope of the vulnerability?
This is a denial of service vulnerability. By sending a continuous stream of specially malformed packets to a domain controller, an attacker could consume most or all of the machine's resources, potentially preventing it from authenticating users. In the worst case, the net result could be that new users might be unable to log on, and logged-on users might be unable to use some network resources.
The effects of the attack would not be permanent, and normal processing would resume once the stream of packets was stopped. If there were multiple domain controllers on a domain, the other machines would assume part of the affected machine's load. Also, if best practices have been followed, the vulnerability could only be exploited by a user within the network -- the ports used in this attack should be blocked at the firewall.
What causes the vulnerability?
This vulnerability results because one of the services used by Windows 2000 domain controllers doesn't appropriately validate requests before processing them. In at least one case, the service would attempt to process an invalid request, rather than simply discarding it. This processing is fairly resource-intensive.
What could an attacker do via this vulnerability?
By sending the domain controller a continuous stream of specially selected invalid requests, an attacker could disrupt service on the machine. Specifically, she could cause the machine to devote most or all of its resources to responding to invalid requests, which would cause the machine's response to other, valid requests to slow or stop altogether.
If a domain controller's resources were monopolized in this fashion, what would be the effect?
Let's consider the worst case, in which there's only a single domain controller in the domain, and the attacker manages to use 100% of the machine's resources. In this case, the principal effect of a successful attack via this vulnerability would be to prevent the domain controller from logging new users onto the domain, and to prevent the machine from fulfilling queries to the Active Directory.
Would an attack prevent previously logged-on users from using network resources?
Not necessarily. Recall the Windows 2000 uses Kerberos as its default authentication protocol. In Kerberos, the domain controller does not authenticate every use of network resources, but instead provides a reusable ticket the first time a user requests a particular resource. When the user subsequently needs to use a particular resource, the domain controller doesn't need to be involved in the authentication process. This means even in the case of a successful attack, users would be able to continue using any resources for which they already had tickets, but they might be unable to obtain new tickets for other resources.
Could this vulnerability cause the domain controller to fail?
No. There is no capability to cause either the machine or the affected service to fail via this vulnerability. This is strictly a denial of service attack effected via resource consumption.
Does the vulnerability always enable the attacker to monopolize all of the machine's resources?
No. In our tests, we were rarely able to drive CPU utilization higher than 75%.
What if the domain had several domain controllers?
In domains that contain multiple domain controllers, the machines work together and shift their workloads dynamically. The more domain controllers there are in a single domain, the less noticeable the loss of a single one would be.
Couldn't I just disable the service that contains the flaw?
No. The affected service is one of the core services on domain controllers and cannot be disabled.
This sounds like a flooding attack, rather than true security vulnerability. Is it?
There are some similarities between this vulnerability and a flooding attacking; for instance, the attack would only persist until the attacker stopped sending requests to the affected machine. Typically, we do not issue patches for flooding attacks. However, in this case, we decided to treat this issue as a vulnerability for two reasons:
| • | There are elements of this issue that aren't like normal flooding attacks. Specifically, a flooding attack usually involves legitimate requests that happen to be resource-intensive to process. In this case, the requests are invalid and the service should discard them after only a cursory inspection. |
| • | The machines affected by this vulnerability are domain controllers. Because of the centrality of domain controllers to a network, we chose to err on the side of caution and produce a patch. |
Could this vulnerability be exploited from the Internet?
If normal security practices have been followed, this vulnerability could only be exploited from within the network. Typically, domain controllers are not used as network edge machines, and firewalling is used to prevent users outside the network from levying any requests directly upon them. If these practices have been followed, Internet users would not be able to send the malformed request to the affected service, and as a result they would be unable to exploit the vulnerability.
Does this vulnerability affect Windows NT® 4.0 domain controllers?
No. Only Windows 2000 domain controllers are affected.
Does this vulnerability affect Windows 2000 workstations or member servers?
No. It only affects domain controllers.
Who should use the patch?
Microsoft recommends that customers consider installing the patch on their Windows 2000 domain controllers
What does the patch do?
The patch eliminates the vulnerability by causing the affected service to correctly treat as invalid the request at issue here.
