************************************************************************** Security Bulletin 9715 DISA Defense Communications System June 9, 1997 Published by: DISN Security Coordination Center (SCC@NIC.MIL) 1-(800) 365-3642 DEFENSE INFORMATION SYSTEM NETWORK SECURITY BULLETIN The DISN SECURITY BULLETIN is distributed by the DISN SCC (Security Coordination Center) under DISA contract as a means of communicating information on network and host security exposures, fixes, and concerns to security and management personnel at DISN facilities. Back issues may be obtained via FTP from NIC.MIL [207.132.116.5] using login= "anonymous" and password="guest". The bulletin pathname is scc/sec-yynn (where "yy" is the year the bulletin is issued and "nn" is a bulletin number, e.g. scc/sec-9705.txt). These are also available at our WWW site, http://nic.mil. ************************************************************************** + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + ! ! ! The following important advisory was issued by the Automated ! ! Systems Security Incident Support Team (ASSIST) and is being ! ! relayed unedited via the Defense Information Systems Agency's ! ! Security Coordination Center distribution system as a means ! ! of providing DISN subscribers with useful security information. ! ! ! + - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - + -----BEGIN PGP SIGNED MESSAGE----- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> Automated Systems Security Incident Support Team _____ ___ ___ _____ ___ _____ | / /\ / \ / \ | / \ | | / Integritas / \ \___ \___ | \___ | | < et /____\ \ \ | \ | | \ Celeritas / \ \___/ \___/ __|__ \___/ | |_____\ <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ADVISORY: 97-08 Release date: 08 Jun 1997 DESCRIPTION: Vulnerability in Windows 95 Network Password PLATFORM: Windows 95 IMPACT: Unauthorized access to the unencrypted network password for the currently logged in user is possible. Malicious programs exploiting this vulnerability could compromise a user's account if the user executed it. These programs could be in the form of a trojan utility, e-mail with attached document and macros, etc. SOLUTIONS: Apply Microsoft patches immediately. Also log off when leaving the computer for long periods of time, run a password protected screen saver when leaving for short durations, and do not run untrusted programs on the network, the Web, or received via e-mail. The Microsoft page describing this problem is: http://www.microsoft.com/windows95/info/passwordmb.htm [ Beginning of AUSCERT Bulletin ] =========================================================================== AA-97.25 AUSCERT Advisory Windows95 Network Password Vulnerability 3 June 1997 Last Revised: -- - - --------------------------------------------------------------------------- AUSCERT has received information that a vulnerability exists in the way that network passwords are stored in memory by Microsoft Windows95 systems. This vulnerability may allow the unauthorized access to the plain text password for the currently logged in user. This can lead to unauthorized access to the user's network account. Microsoft has released a security bulletin, containing patch information, addressing the vulnerability. These patches encrypt the passwords stored in memory. The security bulletin and patches are described in this advisory. - - --------------------------------------------------------------------------- 1. Description A vulnerability exists in the way that network passwords are stored in memory by Microsoft Windows95 systems. This vulnerability may allow unauthorized access to the plain text password for the currently logged in user. Although the password is encrypted before sending it over a network, it is stored unencrypted in the system's memory. Access to the password for the currently logged in user is possible through careful examination of memory structures. It is possible to develop a program to simplify this attack. To obtain the password currently stored in memory, a program must be executed on the system. This can be done by either gaining physical access to the computer or misleading the user into executing the program. These actions must be performed while the network user is still logged in. The user can be misled into running a malicious program by downloading untrusted information from the Internet, or by some other means such as embedding the malicious program in a Macro contained in a file that gets executed when the file is opened by the user. This file may be sent to the user as an attachment to an electronic mail message. 2. Impact Unauthorized access may be gained to the network password of the user logged in to a Windows95 system. This can lead to unauthorized access to the user's network account using the compromised password. 3. Workarounds/Solution Official vendor patches have been released by Microsoft which address this vulnerability (Section 3.1). AUSCERT recommends that sites apply the patches given in this bulletin immediately. 3.1 Install vendor patches Microsoft has released a security bulletin, containing patch information, addressing the vulnerability described in this advisory. This bulletin can be located on their security page on Microsoft's Web site at http://www.microsoft.com/security/ and is titled "Microsoft Windows 95 Update to Enhance Password Security". Additionally, a Microsoft Knowledge Base article has been developed by Microsoft detailing more information about this problem and associated fixes. It can be located by going to Microsoft Australia's home page (http://www.microsoft.com.au) and following the links to "Support", and then to "Knowledge Base". The specific Knowledge Base article to search for is Q165402. This article can also be referenced as http://www.microsoft.com/kb/articles/q165/4/02.htm Both the bulletin and the Knowledge Base article contain pointers to patches that can be downloaded. AUSCERT recommends that sites apply the patches given in this bulletin immediately. 4. Additional Measures To gain access to the user's password, the user must first be logged in to the network from a Windows95 system using their account and password. The password is obtained by either someone running a program on the system, or a program must be executed by the user or on the user's behalf. Executing a program can be done by either gaining physical access to the system or misleading the user into running an untrusted program. The user can be misled into running a malicious program by downloading untrusted information from the Internet, or by some other means such as embedding the malicious program in a Macro contained in a file that gets executed when the file is opened by the user. This file may be sent to the user as an attachment to an electronic mail message. Educating users can address each of these scenarios. The ability to exploit this vulnerability can be reduced if unauthorized access to the system, while the user is still logged in, can be minimized or eliminated. One way this can be achieved is if each user logs off from the network any time they leave the computer for reasonable periods of time, or runs a password protected screen saver. Users should also be educated not to run untrusted programs that have been given to them on disk or via Email, or downloaded from a network. Email attachments should be scanned for any unauthorized macros. [ End of AUSCERT Bulletin ] - - --------------------------------------------------------------------------- The ASSIST staff would like to thank AUSCERT as well as the Australian Bureau of Statistics and Microsoft for their assistance and response in the preparation of this Advisory. - - --------------------------------------------------------------------------- <<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>> ASSIST is an element of the Defense Information Systems Agency (DISA), Global Operations and Security Center (GOSC), which provides service to the entire DoD community. Constituents of the DoD with questions about ASSIST or computer security issues, can contact ASSIST using one of the methods listed below. Non-DoD organizations/institutions, contact the Forum of Incident Response and Security Teams (FIRST) representative. To obtain a list of FIRST member organizations and their constituencies send an email to docserver@first.org with an empty "subject" line and a message body containing the line "send first-contacts". ___________________________ ASSIST CONTACT INFORMATION: E-mail: assist@assist.mil Phone: (800)-357-4231 (DSN 327-4700) 24 hour hotline Fax: (703) 607-4735 (DSN 327-4735) Unclassified ASSIST Bulletins, tools and other security related information are available from: http://www.assist.mil/ ftp://ftp.assist.mil/ To be added to our mailing list for ASSIST bulletins, send your e-mail address to: assist-request@assist.mil In the subject line, type: SUBSCRIBE your-email-address ___________________________________ OTHER DOD CERT CONTACT INFORMATION: Air Force CERT Phone: (800) 854-0187 Air Force CERT Email: afcert@afcert.csap.af.mil Navy CIRT Phone: (800) 628-8893 Navy CIRT Email: navcirt@fiwc.navy.mil Army CERT Phone: (888) 203-6332 Army CERT Email: acert@vulcan.belvoir.army.mil _________________ ASSIST BULLETINS: Back issues of ASSIST bulletins, and other security related information, are available from the ASSIST BBS at 703-607-4710, 327-4710, and through anonymous FTP from ftp.assist.mil (IP address 199.211.123.12). Note: ftp.assist.mil will only accept anonymous FTP connections from Milnet addresses that are registered with the NIC or DNS. If your system is not registered, you must provide your MILNET IP address to ASSIST before access can be provided. ASSIST uses Pretty Good Privacy (PGP) as the digital signature mechanism for bulletins. PGP incorporates the RSAREF(tm) Cryptographic Toolkit under license from RSA Data Security, Inc. A copy of that license is available via anonymous FTP from net-dist.mit.edu (IP 18.72.0.3) in the file /pub/PGP/rsalicen.txt. In accordance with the terms of that license, PGP may be used for non-commercial purposes only. Instructions for downloading the PGP software can also be obtained from net-dist.mit.edu in the pub/PGP/README file. PGP and RSAREF may be subject to the export control laws of the United States of America as implemented by the United States Department of State Office of Defense Trade Controls. The PGP signature information will be attached to the end of ASSIST bulletins. Reference herein to any specific commercial product, process, or service by trade name, trademark manufacturer, or otherwise, does not constitute or imply its endorsement, recommendation, or favoring by ASSIST. The views and opinions of authors expressed herein shall not be used for advertising or product endorsement purposes. -----BEGIN PGP SIGNATURE----- Version: 2.6 iQCVAwUBM5sfLtH6sbnW3Io9AQECBwQAqG5+BCsQWyo5j8EF0XMiEzKXK5wt2cGR hbjP0rLnHNATsckwlaevS4cm5uAP2sN+GQJNbxYm6Om04FtFTsmFpbuHpoysBpAC XJvrE4eeR9e/iJ9jh1DgC7XyHhnPU4I2IgPk1Mhlmxt2bbkbuR1MKEu81myZe0hZ o3XuG0FKonc= =zGhz -----END PGP SIGNATURE----- **************************************************************************** * * * The point of contact for NIPRNET security-related incidents is the * * ASSIST: * * * * E-mail address: ASSIST@ASSIST.MIL * * * * Telephone: 1-(800)-357-4231 (24 hours/day) * * * * You may also contact the Security Coordination Center (SCC) at the * * NIC: * * * * E-mail address: SCC@NIC.MIL * * * * Telephone: 1-(800)-365-3642 * * * * NIC Help Desk personnel are available from 7:00 a.m.-7:00 p.m. EST, * * Monday through Friday except on federal holidays. * * * **************************************************************************** PLEASE NOTE: Some users outside of the DOD computing communities may receive DISN Security Bulletins. If you are not part of the DOD community, please contact your agency's incident response team to report incidents. Your agency's team will coordinate with DOD. The Forum of Incident Response and Security Teams (FIRST) is a world-wide organization. A list of FIRST member organizations and their constituencies can be obtained by sending email to docserver@first.org with an empty subject line and a message body containing the line: send first-contacts. This document was prepared as an service to the DOD community. Neither the United States Government nor any of their employees, makes any warranty, expressed or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation, or favoring by the United States Government. The opinions of the authors expressed herein do not necessarily state or reflect those of the United States Government, and shall not be used for advertising or product endorsement purposes.