COMMAND

    LSA

SYSTEMS AFFECTED

    WinNT 4, Win2000

PROBLEM

    BindView Co. found following regarding LSA (the  RestrictAnonymous
    key is  not relevant.   The problem  pointed out  in this advisory
    affects systems running Windows NT by crashing the Local  Security
    Authority, rendering the target machine unusable after some period
    of time.  The problem stems from a failure to to verify the  input
    to LsaLookupNames.  It  is made worse by  the fact that it  can be
    anonymously  exploited.   The  RestrictAnonymous  (1) registry key
    does not prevent this problem from being exploited.

    The LSA  is the  system component  responsible for  authenticating
    users to the  system, and deciding  what access and  privilege the
    users are  entitled to.   The same  process that  contains the LSA
    also  contains  the  SAM  (Security  Accounts Manager), as well as
    elements of the RPC subsystem, particularly those responsible  for
    launching DCOM servers.  Those components will also be unavailable
    as  a  result  of  the  crash.    Once  the  LSA  has  died,   new
    authentication tokens  can no  longer be  created.   Anything that
    requires  creating  new  authentication  tokens  will  no   longer
    function.  Examples includes:

        o Connecting to the hosts network shares.
        o Attempting to logon to the machine.
        o Trying to run User Manager, Event Viewer, or Server  Manager
          against the machine.
        o If the host is a  PDC, users will be unable to  change their
          passwords.
        o If  the  host  is  running  IIS,  SQL  Server, or other  RPC
          services with  NT integrated  security, those  services will
          not function properly.
        o Tools which display  account names, e.g., ACL  editors, will
          display all accounts as 'Account Unknown'.
        o The  user  will  not  be  able  to  shutdown the machine  by
          clicking [Start]->Shutdown.  They will be told that they  do
          not have  permission, even  if they  actually do.   Pressing
          Ctrl-Alt-Del and selecting Shutdown on that dialog does work

    Some functions will continue to work:

        o Users who  are already connected  to the host's  shares will
          continue to be able to access files, until they disconnect.
        o Services can be  started, provided that they  are configured
          to run in the SYSTEM account.
        o Many user applications will function normally.

    Under  certain  conditions,  the  adverse  effects  may not happen
    immediately.  If the host's exception system is not configured  to
    work automatically,  then a  dialog box  will be  displayed on the
    host,  and  the  system  will  work  normally  until the dialog is
    dismissed.   This   configuration  is  normally   only  found   on
    developer's  machines.   The  registry  key  that  controls   this
    behavior is

        HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug

    value "Auto".  Changing this value from the default of "1" to  "0"
    will enable this behavior.

SOLUTION

    Install the LSA3-fix  Hotfix from Microsoft  to fix this  problem.
    This fix can be downloaded from

        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP5/LSA3-fix/