COMMAND

    LSA

SYSTEMS AFFECTED

    WinNT with SP5

PROBLEM

    William Galipeau  found following.   A few  months ago  he found a
    vulnerability in  NT 4.0  configured with  SP5.   He downloaded  a
    trial copy  of Network  Associates Cyber  Cop version  5.0.  After
    running  a  scan  using  all  the  Denial  of Service based attack
    options.  All failed but  one:  the "Windows NT-  LSASS.EXE Denial
    of Service  attack."   When you  run a  scan on  a NT  4.0 machine
    configured with SP5 (with or  without the LSA3 hot fix)  utilizing
    this option, the target machine  will lock, not allowing users  to
    authenticate to the server remotely  or locally.  The only  way to
    correct the problem is to physically reboot the server.  Also,  to
    make matters  worse, the  audit logs  on the  target server do not
    illustrate where the  attacks were launched  from.  Because  Cyber
    Cop allows you to run this scan  on any IP or any host of  IPs, an
    intruder could  attack a  large base  of servers  in a  relatively
    short amount of time without leaving a reliable audit trail.

SOLUTION

    It has been confirmed this vulnerability using the LSA DoS  attack
    in CyberCop  as well.   The target  machines were  NT 4.0 servers,
    one with SP4 and the other  with SP5.  After appling the  post-SP5
    LSA3  hotfix   on  both   machines,  it   appeared  to   fix   the
    vulnerability.   Rerunning the  DoS attack  did not  affect either
    machine... so it's hard to tell now what's the real issue.