Software Engineering Institute

The Secure Sockets Layer (SSL) protocol is commonly used to provide authentication, encryption, integrity, and non-repudiation services to network applications such as HTTP, IMAP, POP3, LDAP, and others. The Microsoft Secure Sockets Layer library contains support for SSL and a number of other secure communication protocols.

A flaw exists in the process used by the SSL Library to check message inputs, specifically in the handling of some malformed SSL messages. This flaw results in a vulnerability that could allow a remote attacker to cause a denial-of-service condition on the affected system. An attacker with the ability to send a specially crafted malformed messages to an SSL-enabled service or program could exploit this vulnerability. Microsoft provides the following description of configurations that are vulnerable:

All systems that have SSL enabled are vulnerable. Although SSL is generally associated with Internet Information Services by using HTTPS and port 443, any service that implements SSL on an affected platform is likely to be vulnerable. This includes but is not limited to Internet Information Services 4.0, Internet Information Services 5.0, Internet Information Services 5.1, Exchange Server 5.5, Exchange Server 2000, Exchange Server 2003, Analysis Services 2000 (included with SQL Server 2000), and any third-party programs that use SSL.

Windows 2000 domain controllers that are installed in an Active Directory domain that also has an Enterprise Root certification authority installed are affected by this vulnerability because they automatically listen for secure SSL connections.

A remote attacker could cause the affected system to stop accepting SSL connections (for systems running Windows 2000 and Windows XP) or automatically restart (for systems running Windows Server 2003).

Apply a patch from the vendor

Microsoft, Inc. has published Microsoft Security Bulletin MS04-011 in response to this issue. Users are strongly encouraged to review this bulletin and apply the patches it refers to.

Workarounds

Microsoft lists the following workaround in MS04-011:

Microsoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

• Block ports 443 and 636 at the firewall
Port 443 is used to receive SSL traffic. Port 636 is used for LDAP SSL connections (LDAPS). Blocking them at the firewall will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. Other ports may be found that could be used to exploit this vulnerability. However, the ports listed here are the most common attack vectors. Microsoft recommends blocking all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.

Impact of Workaround: If ports 443 or 636 are blocked, the affected systems can no longer accept external connections using SSL or LDAPS.