{"vuid":"VU#567620","idnumber":"567620","name":"Microsoft Windows Workstation service vulnerable to buffer overflow when sent specially crafted network message","keywords":["Microsoft","Windows","Workstation service","buffer overflow","crafted network message","Q828749","MS03-049"],"overview":"A remotely exploitable vulnerability affects Microsoft Windows Systems. Exploitation of this vulnerability could permit the execution of arbitrary code on the system with elevated privileges. The exploit vector for this vulnerability is highly conducive to a worm or other automated exploit.","clean_desc":"A buffer overflow vulnerability exists in the Microsoft Workstation service. A remote attacker that can send a specially-crafted network message to the vulnerable system could exploit this vulnerability to execute arbitrary code with system privileges. According to the Microsoft Bulletin, MS03-049, the following systems are affected: Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4\nMicrosoft Windows XP, Microsoft Windows XP Service Pack 1\nMicrosoft Windows XP 64-Bit Edition According to the Microsoft Bulletin, MS03-049, the following systems are NOT affected: Microsoft Windows NT Workstation 4.0, Service Pack 6a \nMicrosoft Windows NT Server 4.0, Service Pack 6a \nMicrosoft Windows NT Server 4.0, Terminal Server Edition, Service Pack 6 \nMicrosoft Windows Millennium Edition \nMicrosoft Windows XP 64-Bit Edition Version 2003 \nMicrosoft Windows Server 2003 \nMicrosoft Windows Server 2003 64-Bit Edition Note that a proof of concept exploit has been posted publicly.","impact":"Exploitation of this vulnerability could permit the execution of arbitrary code on the system with elevated privileges. The exploit vector for this vulnerability is highly conducive to a worm or other automated exploit.","resolution":"Apply the appropriate update for your system: Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4 - Download the update \nMicrosoft Windows XP, Microsoft Windows XP Service Pack 1- Download the update \nMicrosoft Windows XP 64-Bit Edition - Download the update As a note in the Microsoft Advisory: Note: The Windows XP security updates that released on October 15th as part of Security Bulletin MS03-043 (828035) include the updated file that helps protect from this vulnerability. If you have applied the Windows XP security updates for MS03-043 (828035) you do not have to reapply this update. However, the Windows 2000 security update that is released as part of this security bulletin contains updated files that were not part of the MS03-043 (828035) security bulletin. Customers have to apply this Windows 2000 security update even if they applied the Windows 2000 security updates for MS03-043 (828035).","workarounds":"Note the following mitigation strategies from Microsoft's Advisory: If users have blocked inbound UDP ports 138, 139, 445 and TCP ports 138, 139, 445 by using a firewall an attacker would be prevented from sending messages to the Workstation service. Most firewalls, including Internet Connection Firewall in Windows XP, block these ports by default. Disabling the Workstation service will prevent the possibility of attack. However there are a number of impacts when performing this workaround. Please see the Workaround section for more details. Only Windows 2000 and Window XP are affected. Other operating systems are not vulnerable to this attack.","sysaffected":"","thanks":"This issue was reported by eEye Digital Security and published in the monthly Microsoft Security Bulletin.","author":"This document was written by Jason A Rafail.","public":["http://www.microsoft.com/technet/security/bulletin/MS03-049.asp","http://www.eeye.com/html/Research/Advisories/AD20031111.html"],"cveids":["CVE-2003-0812"],"certadvisory":"CA-2003-28","uscerttechnicalalert":null,"datecreated":"2003-11-11T18:38:02Z","publicdate":"2003-11-11T00:00:00Z","datefirstpublished":"2003-11-11T23:46:48Z","dateupdated":"2003-11-12T16:00:20Z","revision":15,"vrda_d1_directreport":"","vrda_d1_population":"","vrda_d1_impact":"","cam_widelyknown":"15","cam_exploitation":"0","cam_internetinfrastructure":"15","cam_population":"15","cam_impact":"18","cam_easeofexploitation":"15","cam_attackeraccessrequired":"20","cam_scorecurrent":"45.5625","cam_scorecurrentwidelyknown":"53.15625","cam_scorecurrentwidelyknownexploited":"83.53125","ipprotocol":"","cvss_accessvector":"","cvss_accesscomplexity":"","cvss_authentication":null,"cvss_confidentialityimpact":"","cvss_integrityimpact":"","cvss_availabilityimpact":"","cvss_exploitablity":null,"cvss_remediationlevel":"","cvss_reportconfidence":"","cvss_collateraldamagepotential":"","cvss_targetdistribution":"","cvss_securityrequirementscr":"","cvss_securityrequirementsir":"","cvss_securityrequirementsar":"","cvss_basescore":"","cvss_basevector":"","cvss_temporalscore":"","cvss_environmentalscore":"","cvss_environmentalvector":"","metric":45.5625,"vulnote":null}