search menu icon-carat-right cmu-wordmark
Carnegie Mellon University

Software Engineering Institute

CERT Coordination Center

Microsoft Windows Media Services fails to properly validate TCP requests

Vulnerability Note VU#982630

Original Release Date: 2004-03-10 | Last Revised: 2004-03-11

Overview

Microsoft Windows Media Services fails to properly validate TCP requests which could allow a remote, unauthenticated attacker to cause the services to refuse new TCP connections.

Description

Microsoft Windows Media Services is an optional component that provides the ability to deliver streaming content to Windows Media clients. It is comprised of the Windows Media Unicast Service, Windows Media Station Service, Windows Media Program Service, and Windows Media Monitor Service. There is a vulnerability in the way TCP/IP connections are handled by both the Windows Media Station Service and Windows Media Monitor Service. By sending a specially crafted sequence of TCP/IP packets to either of these services, a remote, unauthenticated attacker could cause the service to stop responding or refuse additional TCP connections.

Impact

A remote, unauthenticated attacker could cause the Windows Media Station Service or Windows Media Monitor Service to stop responding or refuse new TCP connections. In order to restore functionality, the service needs to be restarted.

Solution

Apply Patch

Microsoft has provided a patch to address this vulnerability. For details on obtaining the patch, please refer to Microsoft Security Bulletin MS04-008.


Workarounds

Microsoft recommends the following workarounds for users who are unable to apply the patch:

    • Block ports 7007 and 7778 at your firewall.
If you do not stream media over TCP to the Internet, you can block TCP port 7007. Also, block port 7778, which is used to administer Windows Media Services through Windows Media Monitor Service. Windows Media Services uses these ports. By blocking these ports at the firewall, you can help prevent systems that are behind the firewall from being attacked by attempts to exploit this vulnerability.

Impact of Workaround: If you block port 7007, you will prevent multicast streams and the enabling of playlists from functioning across the firewall. If you block port 7778, you will prevent administrative functions from functioning across the firewall.
    • Administer your Windows Media Services from the console or through a Terminal Services session.
Administer your Windows Media Services servers directly from the console or through a Terminal Services session. If you do this, you will not be affected by any successful denial of service attempts against Windows Media Monitor Service. The reason for this is that the service can still be accessed and used from the desktop of the system that is hosting Windows Media Services even after a successful denial of service attack has been taken place.

Impact of Workaround: None.
    • Stop, disable, or remove Windows Media Station Service.
Stop, disable, or remove Windows Media Station Service.

Impact of Workaround: Stopping, disabling, or removing Windows Media Station Service will cause multicast streams or the enabling of playlists to not function.
    • Disable or remove Windows Media Monitor Service.
Disable or remove Windows Media Monitor Service.

Impact of Workaround: Disabling or removing Windows Media Monitor Service will prevent the possibility of administering Windows Media Services.

Vendor Information

982630
 
Expand all

Microsoft Corporation Affected

Updated:  March 10, 2004

Status

Affected

Vendor Statement

We have not received a statement from the vendor.

Vendor Information

The vendor has not provided us with any further information regarding this vulnerability.

Addendum

Please refer to Microsoft Security Bulletin MS04-008.

If you have feedback, comments, or additional information about this vulnerability, please send us email.


CVSS Metrics

Group Score Vector
Base
Temporal
Environmental

References

Acknowledgements

Microsoft credits Qualys for reporting this vulnerability.

This document was written by Damon Morda.

Other Information

CVE IDs: CVE-2003-0905
Severity Metric: 2.20
Date Public: 2004-03-09
Date First Published: 2004-03-10
Date Last Updated: 2004-03-11 13:39 UTC
Document Revision: 19

Sponsored by CISA.

Download PGP Key

Read CERT/CC Blog

Learn about Vulnerability Analysis