Microsoft KB Archive/287397

= MS01-011: Patch Available for Malformed Domain Controller Service Request Vulnerability =

PSS ID Number: 287397

Article Last Modified on 9/23/2003

-

The information in this article applies to:


 * Microsoft Windows 2000 Server SP1
 * Microsoft Windows 2000 Server SP2
 * Microsoft Windows 2000 Advanced Server SP1
 * Microsoft Windows 2000 Advanced Server SP2

-



This article was previously published under Q287397



SYMPTOMS
Microsoft has released a patch that eliminates a security vulnerability that affects Windows 2000-based domain controllers (DCs). The vulnerability could enable a malicious user to temporarily disrupt service on the DC.

A service that runs on all Windows 2000-based DCs (but not on any other computers) contains a flaw in the way that it processes a certain type of invalid request. If a malicious user sent a continuous stream of such requests to an affected computer, it would consume most or all of the computer's resources. This could cause the DC to process requests for the service slowly or not at all.

The computer would automatically resume normal processing as soon as the stream of requests ceased. Although the malicious user could, in theory, use the vulnerability to completely deny service to network users, in practice the attack rarely consumes more than 75 percent of the available central processing unit (CPU) resources. Also, if there were multiple DCs on the domain, the unaffected computers could pick up the other computer's load. If normal security practices have been followed, only network users could exploit this vulnerability.



RESOLUTION
To resolve this problem, either obtain Windows 2000 Service Pack 3 or Windows 2000 Security Rollup Package 1 (SRP1). To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:

260910 How to Obtain the Latest Windows 2000 Service Pack

For additional information about SRP1, click the article number below to view the article in the Microsoft Knowledge Base:

311401 Windows 2000 Security Rollup Package 1 (SRP1), January 2002

This update has been superseded by the patch discussed in the following Microsoft Knowledge Base article. This article refers to the latest version of this patch.

299687 Function Exposed via LDAP over SSL Could Enable Passwords to be Changed

The following file is available for download from the Microsoft Download Center:

Download Q299687_w2k_sp3_x86_en.exe now

Release Date: June 26, 2001

For additional information about how to download Microsoft Support files, click the following article number to view the article in the Microsoft Knowledge Base:

119591 How to Obtain Microsoft Support Files from Online Services

Microsoft scanned this file for viruses. Microsoft used the most current virus-detection software that was available on the date that the file was posted. The file is stored on security-enhanced servers that help to prevent any unauthorized changes to the file. The English version of this fix should have the following file attributes or later:

  Date         Time   Version        Size     File name -  6/27/2001   12:19p  5.0.2195.3787  501,520  Lsasrv.dll(56-bit) 6/27/2001  01:25p  5.0.2195.3787  355,088  Advapi32.dll 6/27/2001  01:21p  5.0.2195.3787  519,440  Instlsa5.dll 6/27/2001  01:25p  5.0.2195.3787  143,120  Kdcsvc.dll 6/26/2001  08:15p  5.0.2195.3781  197,392  Kerberos.dll 6/26/2001  08:16p  5.0.2195.3781   69,456  Ksecdd.sys 6/27/2001  12:20p  5.0.2195.3787  501,520  Lsasrv.dll 6/26/2001  08:16p  5.0.2195.3781   33,552  Lsass.exe 6/27/2001  01:25p  5.0.2195.3781  909,072  Ntdsa.dll 6/27/2001  01:25p  5.0.2195.3781  382,224  Samsrv.dll 6/27/2001  01:25p  5.0.2195.3781  128,784  Scecli.dll 6/27/2001  01:25p  5.0.2195.3649  299,792  Scesrv.dll



STATUS
Microsoft has confirmed that this problem may cause a degree of security vulnerability in Windows 2000. This problem was first corrected in Windows 2000 Service Pack 3.



MORE INFORMATION
For more information about this vulnerability, see the following Microsoft Web site:

http://www.microsoft.com/technet/security/bulletin/ms01-011.asp

For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base:

265173 The Datacenter Program and Windows 2000 Datacenter Server Product

For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base:

296861 Use QChain.exe to Install Multiple Hotfixes with One Reboot

Additional query words: security_patch kbWin2000srp1

Keywords: kbbug kbenv kbfix kbgraphxlinkcritical KbSECHack kbSecurity KbSECVulnerability kbWin2000PreSP3Fix kbWin2000sp3fix KB287397

Technology: kbwin2000AdvServ kbwin2000AdvServSearch kbWin2000AdvServSP1 kbWin2000AdvServSP2 kbwin2000Search kbwin2000Serv kbwin2000ServSearch kbwin2000ServSP1 kbwin2000ServSP2 kbWinAdvServSearch

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© 2004 Microsoft Corporation. All rights reserved.