Microsoft Security Bulletin MS01-052

Technical description:

Microsoft updated this bulletin on May 11, 2004 to advise on the availability of a revised version of the Windows NT Server 4.0 Terminal Server Edition security update. The updated version of this security update addresses a security vulnerability that could occur with the original release that could allow an attacker to attempt a denial of service attack against Windows NT Server 4.0 Terminal Server Edition systems. Customers need to install the revised update even if they installed the prior version. This issue does not affect other operating systems. If you have previously applied the security updates for other operating systems, this revised update does not need to be installed.

On October 18, 2001 Microsoft released the original version of this bulletin. On October 19, 2001, an issue was identified with the Windows 2000 patch. The patch was withdrawn so that it could be updated and re-released. On October 22, 2001 the updated patch and bulletin were posted.

We recommend that customers who installed the original version of the Windows 2000 patch install the updated version.

The implementation of the Remote Data Protocol (RDP) in the terminal service in Windows NT 4.0 and Windows 2000 does not correctly handle a particular series of data packets. If such a series of packets were received by an affected server, it would cause the server to fail. The server could be put back into normal service by rebooting it, but any work in progress at the time of the attack would be lost.

It would not be necessary for an attacker to be able to start a session with an affected server in order to exploit this vulnerability - the only prerequisite would be the need to be able to send the correct series of packets to the RDP port on the server.

Mitigating factors:

Risk Rating:

The above assessment is based on the types of systems affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Only terminal servers -- which are typically deployed as intranet rather Internet servers -- are at risk from the vulnerability, and it poses a denial of service threat at worst.

Vulnerability identifier: CAN-2001-0663 

Tested Versions:

Microsoft tested Windows 2000 and Windows NT 4.0 to assess whether they are affected by these vulnerabilities. Previous versions are no longer supported, and may or may not be affected by these vulnerabilities.

Why was this bulletin updated?
Microsoft updated this bulletin on May 11, 2004 to advise on the availability of a revised version of the Windows NT Server 4.0 Terminal Server Edition security update. The updated version of this security update addresses a security vulnerability that could occur with the original release that could allow an attacker to attempt a denial of service attack against Windows NT Server 4.0 Terminal Server Edition systems. Customers need to install the revised update even if they installed the prior version. This issue does not affect other operating systems. If you have previously applied the security updates for other operating systems, this revised update does not need to be installed.

On October 18, 2001 Microsoft released the original version of this bulletin. On October 19, 2001, an issue was identified with the Windows 2000 patch. The patch was withdrawn so that it could be updated and re-released. On October 22, 2001 the updated patch and bulletin were posted.

What's the scope of the vulnerability?
This is a denial of service vulnerability. An attacker could use this vulnerability to cause a Windows NT 4.0 or Windows 2000 terminal server to fail. The server could be restarted without incident, but any work that was in progress at the time of the failure would be lost.

What causes the vulnerability?
The vulnerability occurs because Windows NT Server 4.0, Terminal Server Edition, and Terminal Services in Windows 2000 fail when they receive a particular series of packets via a Remote Desktop Protocol connection.

What's Remote Desktop Protocol?
Remote Desktop Protocol (RDP) is the protocol that Windows terminal servers and clients use to communicate with each other. Clients use it to send keystroke and mouse-click information to the server, and the server uses it to send display information to the clients.

What could an attacker do via this vulnerability?
By sending a particular sequence of packets to the port associated with RDP on an affected server, an attacker could cause the server to fail. This would require the server operator to reboot the machine in order to restore normal service.

Would this have any effect on the clients?
It would cause the terminal sessions to be severed, with the loss of any unsaved data. However, it could not be used to directly attack terminal server clients.

Would the attacker need to be able to establish a terminal server session in order to exploit this vulnerability?
No. The attacker would only need to send the correct set of packets to the correct port.

Could the attacker hijack another user's existing terminal server session via this vulnerability?
No. The vulnerability would only enable an attacker to disrupt a session, not to create one or intercept one.

Could a user inadvertently cause the server to fail via a terminal server session?
No. The specific series of packets needed to cause the server to fail cannot be generated as part of a normal terminal server session.

I have Windows NT 4.0 and Window 2000 servers, but they aren't terminal servers. Could I be affected by this vulnerability?

Who should use the patch?
Microsoft recommends that customers running Windows NT 4.0 or Windows 2000 terminal servers install the patch.

What does the patch do?
The patch eliminates the vulnerability by allowing the terminal server service to correctly handle RDP data with the malformation at issue here.

I've installed earlier versions of the Windows 2000 security update, do I need to install any new security updates?
No. The Windows 2000 security updates are not being revised. If you have previously applied the security updates for Windows 2000, this revised update does not need to be installed. This vulnerability did not affect Windows NT Server 4.0 or Windows NT Workstation 4.0

I installed the Windows NT Server 4.0 Terminal Server Edition version of the update that was originally released, do I need to install the new version of the update?
Yes. Microsoft updated this bulletin on May 11, 2004 to advise on the availability of a revised version of the Windows NT Server 4.0 Terminal Server Edition security update. Customer need to install the revised update even if they installed the prior version. This issue does not affect other operating systems. If you have previously applied the security updates for other operating systems, this revised update does not need to be installed.

Download locations for this patch

Installation platforms:

•	The Windows NT 4.0 patch can be installed on systems running Windows NT Server 4.0, Terminal Server Edition, Service Pack 6
•	The Windows 2000 patch can be installed on systems running Service Pack 1 or Service Pack 2.

Inclusion in future service packs:
The fix for this issue will be included in Windows 2000 Service Pack 3.

Reboot needed: Yes

Superseded patches:

The Windows 2000 patch supersedes the one provided in Microsoft Security Bulletin MS01-006.

Verifying patch installation: Microsoft Windows NT Server 4.0, Terminal Server Edition:

•	You may also be able to verify the files that this security update has installed by reviewing the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Hotfix\KB307454\File 1
•	To verify the individual files, consult the file manifest in Knowledge Base article q307454.

Microsoft Windows 2000:

•	To verify that the patch has been installed on the machine, confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\q307454.
•	To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP3\q307454\Filelist

Caveats:

Even after applying the patch, a terminal server that is attacked via this vulnerability will log the following message in the event log:

Event:50 The RDP protocol component X.224 detected an error in the protocol stream and has disconnected the client. Source: Termdd"

On patched systems, this error message is incorrect, as the patch will prevent the client from being disconnected

Localization:

Localized versions of this patch are available at the locations discussed in "Obtaining other security patches".

Obtaining other security patches:

Patches for other security issues are available from the following locations:

•	Security patches are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch".
•	Patches for consumer platforms are available from the WindowsUpdate web site.

Top of section