A core service of Microsoft Windows 2000 domain controllers fails to correctly handle certain invalid requests. After receiving a number of invalid requests, the domain controller may have to be rebooted to return it to correct operation. A disabled domain controller can interfere with the ordinary operation of all machines in the domain.
Microsoft Windows 2000 uses Kerberos as its default means of authentication. Kerberos is a trusted-third-party scheme that is used to perform mutual authentication between two network entities who trust a "neutral" third party, known as a key distribution center (KDC). In the Microsoft implementation of Kerberos, a domain controller serves as the KDC. By making certain kinds of invalid Kerberos requests to a Windows 2000 domain controller repeatedly, an intruder can exhaust the available memory of the system, effectively rendering it incapable of processing further Kerberos requests, possibly interrupting the ordinary operation of other services on that same machine, and severely impacting system performance. In order to recover the memory, a system administrator must reboot the machine.
More information about this problem is available in Microsoft Security Bulletin MS 01-024, and an advisory issued by Defcom Labs, who originally discovered the problem.
This statement is true, but may lead one to assume that a failure of a domain controller resulting from this vulnerability would be independent of failures of other domain controllers. While having multiple domain controllers is recommended to guard against independent failures (e.g. a disk drive failure), security failures by their very nature are not likely to be independent. Intruders who wish to disrupt the operation of your domain will certainly realize that there may be more than one domain controller; and if they can attack one of them, it is likely that they can attack all of them.
Microsoft addressed the issue of redundancy in Windows 2000 Kerberos Authentication. Quoting from that document:
Intruders can disable domain controllers, effectively halting the processing of logon requests and the granting of new Kerberos tickets.
Apply a patch as described in Microsoft Security Bulletin MS01-024.
Limiting access to ports 88 and 464 can reduce your exposure to this problem. In general, we recommend blocking access to all ports that aren't explicitly required.
This problem was originally discovered by Peter Gründl of Defcom Labs. A copy of their original advisory is available from Windows IT Security.
This document was written by Shawn V. Hernan.
|Date First Published:||2001-05-17|
|Date Last Updated:||2001-06-26 02:29 UTC|