COMMAND

    kernel

SYSTEMS AFFECTED

    Windows 2000 Server, Advanced Server and Datacenter Server

PROBLEM

    'FX'  found  following.   Windows  2000  server  with  an open UDP
    Kerberos v5  port (464)  is vulnerable  to a  UDP ping-pong attack
    where you send a packet with someone elses IP address and  chargen
    source port to it.  Drives CPU usage on my test system to  approx.
    70%.  AFAIK affected systems: Win2k server running AD.

    A core service running on all Windows 2000 domain controllers (but
    not  on  any  other  machines)  contains  a  flaw affecting how it
    processes   a   certain   type   of   invalid   service   request.
    Specifically, the service should handle the request at issue  here
    by determining that it is invalid and simply dropping it; in fact,
    the service performs  some resource-intensive processing  and then
    sends a response.

    If an  attacker sent  a continuous  stream of  such requests to an
    affected machine, it  could consume most  or all of  the machine's
    CPU  availability.   This  could  cause  the  domain controller to
    process  requests  for  service  slowly  or  not at all, and could
    limit the number of new  logons the machine could process  and the
    number of Kerberos tickets that could be issued.

    Mitigating factors:

    - The machine would automatically resume normal processing as soon
      as the stream of requests ceased.
    - Although the attacker could, in theory, use the vulnerability to
      completely deny service to network users, in practice the attack
      rarely consumes more than 75% of the available CPU resources.
    - Users  who  were  already  logged  on and were using  previously
      issued  Kerberos  tickets  would  not  be  affected  by   domain
      controller unavailability.
    - If  there were  multiple domain  controllers on  the domain, the
      unaffected machines could pick up the other machine's load.
    - If normal security practices have been followed, Internet  users
      would  be  prevented  by  firewalling  and  other  measures from
      levying requests directly to domain controllers.

SOLUTION

    A patch is available to  fix this vulnerability.  Please  read the
    Security Bulletin

        http://www.microsoft.com/technet/security/bulletin/ms01-011.asp

    for information on obtaining this patch.