Why is Microsoft re-releasing this bulletin?
Microsoft originally released this bulletin to advise customers of a workaround procedure that could be used while a patch was under development. Microsoft has completed the patches for all platforms, and have updated the bulletin to advise customers of their availability.
After releasing the patches for Windows NT 4.0 Terminal Server Edition, it was discovered on March 14, 2002 that the patches for English and German contained incorrect files. We have corrected the error and provided an updated patch.
What's the scope of the vulnerability?
This is a buffer overrun vulnerability. If a particular service had been installed and was running on an affected system, it could be possible for an attacker to cause a denial of service on the system. In addition, it is possible that they could run code of their choice.
The service at issue in this vulnerability is neither installed nor running by default on any version of Windows. In addition, the circumstances under which the vulnerability could be exploited would likely prevent it from being exploited by an Internet-based attacker.
What causes the vulnerability?
The vulnerability results because the component of the SNMP agent service that parses incoming commands contains an unchecked buffer. By sending a specially malformed request, it could be possible conduct a buffer overrun attack against an affected system.
What is SNMP?
SNMP (Simple Network Management Protocol) is a protocol that allows administrators to remotely manage network devices such as servers, workstations, routers, bridges, firewalls, and so forth. SNMP is an industry-standard protocol, which allows devices made by many different vendors to be managed via the protocol.
How does SNMP work?
In order for an administrator to use SNMP, there has to be an agent - that is, a service that listens for commands and executes them - on every machine that needs to be managed. Next, the administrator needs to know a password (known in SNMP parlance as a community name) that provides either read-only or read-write access, as appropriate. When the administrator issues a management command, the SNMP software on his system refers to a database (called the Management Information Base) that translates those commands to one that will be meaningful to the other machine.
How secure is SNMP?
SNMP is, by design, not a secure protocol. For instance, all communications in SNMP take place in plaintext, so community names and other potentially sensitive information could potentially be determined by monitoring the network. Microsoft has long recommended using other, more secure methods of managing networks, and this is why the SNMP agent service that ships with Windows platforms is neither installed nor running by default.
What Windows products provide SNMP support?
An SNMP agent service is included in Windows 95, Windows 98, Windows 98SE, Windows NT 4.0, Windows 2000, and Windows XP. However, it's neither installed nor running by default in any of them. Windows ME doesn't provide an SNMP service of any kind.
Which products' SNMP services are affected by the vulnerability?
All SNMP services are affected. This includes: Windows 95, Windows 98, Windows 98SE, Windows NT 4.0 and Windows 2000, and Windows XP.
What's wrong with the SNMP implementations in the affected products?
The SNMP implementations in the affected products have an unchecked buffer in a part of the software that processes management requests. If the SNMP agent service received a management request that's malformed in a particular way, the effect would be to overrun the buffer. If the data in the management request were carefully chosen, it would have the effect of altering the operation of the SNMP service while it was running.
What would this enable an attacker to do?
An attacker who successfully exploited this vulnerability could cause a denial of service in the SNMP service. In addition, it is possible that they could change the operation of the SNMP service. Because it runs as part of the operating system, this would potentially give the attacker complete control over the system.
Who could exploit the vulnerability?
To exploit the vulnerability, the attacker would need to be able to deliver SNMP management requests to the SNMP Service.
How difficult would it be for the attacker to deliver SNMP Management requests to an affected system?
It's likely that an attacker located within a network could deliver SNMP management requests to most other systems on the network, since SNMP operates over TCP/IP. However, if normal firewalling has been performed, it might be impossible for an attacker located on the Internet to deliver management requests to a system behind the firewall, as standard firewalling recommendations include blocking UDP ports 161 and 162, the ports over which SNMP traffic travels.
How likely is it that a web server or other Internet-exposed system would be vulnerable?
If best practices have been followed, SNMP wouldn't be used on an Internet-exposed machine. As we discussed above, SNMP is not a secure protocol, and as a result it's never appropriate to use SNMP to manage a system on the Internet.
How do I disable the SNMP service?
Just follow the steps for the system you're using.
| • | Windows 95, 98 and 98SE: 1. | In Control Panel, double-click Network. | 2. | On the Configuration tab, select Microsoft SNMP Agent from the list of installed components. | 3. | Click Remove |
Check the following keys and confirm that snmp.exe is not listed. | • | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices | | • | HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run |
|
| • | Windows NT 4.0 (including Terminal Server Edition) : 1. | Select Start, then Settings. | 2. | Select Control Panel, then click on the Services Icon | 3. | Locate SNMP on the list of services, then select it and click Stop. | 4. | Select Startup, and click Disabled. | 5. | Click OK to close the dialoge, then close Control Panel |
|
| • | Windows 2000: 1. | Right-click on My Computer and select Manage | 2. | Click on Services and Applications, then on Services | 3. | Location SNMP on the list of services, then select it and click Stop. | 4. | Select Startup, and click Disabled. | 5. | Click OK to close the dialogue, then close the Computer Management window. |
|
| • | Windows XP: 1. | Right-click on My Computer and select Manage | 2. | Click on Services and Applications, then on Services | 3. | Location SNMP on the list of services, then select it and click Stop. | 4. | Select Startup, and click Disabled. | 5. | Click OK to close the dialogue, then close the Computer Management window. |
|
I previously disabled the SNMP Service on Windows 2000 or Windows XP. How do I re-enable the SNMP service?
Just follow the steps for the system you're using only if the service was running before and you want it to run again.
| • | Windows 2000: 1. | Right-click on My Computer and select Manage | 2. | Click on Services and Applications, then on Services | 3. | Locate SNMP on the list of services, then select it. | 4. | Right-click and select Properties, select Startup, and click Automatic. | 5. | Click OK to close the dialogue. | 6. | Right-click and select Start. | 7. | Close the Computer Management window. |
|
| • | Windows XP: 1. | Right-click on My Computer and select Manage | 2. | Click on Services and Applications, then on Services | 3. | Locate SNMP on the list of services, then select it. | 4. | Right-click and select Properties, select Startup, and click Automatic. | 5. | Click OK to close the dialogue. | 6. | Right-click and select Start. | 7. | Close the Computer Management window. |
|
I haven't installed the SNMP service on my system. Am I at any risk?
No. You're only at risk if the SNMP service is running.
What does the patch do?
The patch eliminates the vulnerability by instituting proper input checking on the command parser in the SNMP agent service.
I downloaded the Windows NT 4.0 Terminal Server Edition patch for English or German prior to March 14, 2002, what should I do?
You should download the updated patches and use those to update your system.
I installed the earlier version of these patches on my system, what do I need to do?
Once you've downloaded the updated patch, you can apply that to your system. It will overwrite the previous version of the patch. There is no need to uninstall the previous version.
I've downloaded a Windows NT 4.0 Terminal Server Edition patch in a language other than English or German, do I need to do anything?
No. The problem only affects the patches in English and German. Patches in other languages do not suffer from this problem and do not need to be re-downloaded or re-applied.
