Terminal Services at Risk for DoS Attack
- By Scott Bekker
- July 26, 2001
Microsoft Corp. issued a fix Wednesday night to patch a Terminal Services bug that makes Windows servers vulnerable to a Denial-of-Service (DoS) attack.
The vulnerability affects systems running Windows NT 4.0 Terminal Server Edition as well as Windows 2000 Server and Windows 2000 Advanced Server, both of which incorporate integrated Terminal Services.
According to a bulletin that Microsoft sent to the subscribers of its security mailing list, the vulnerability can be exploited in a DoS attack by an attacker who sends a malformed packet to port 3389 on a server.
Microsoft’s Terminal Services implementation in both Windows NT 4.0 Terminal Server Edition and in Windows 2000 leverage a protocol, dubbed the Remote Data Protocol (RDP), which listens for requests on port 3389.
Each time a host system processes a malformed RDP packet, Microsoft says, system memory is depleted. It's possible that an attacker could send enough malformed RDP packets to exhaust the resources of a server and to cause it to stop responding to other (legitimate) requests.
The software giant cautions that an attacker does not have to successfully log into a Windows server in order to take it down. Instead, officials say, she has only to bombard port 3389 with malformed RDP packets.
Microsoft claims that IT organizations can safeguard against external attacks by blocking traffic intended for port 3389 on their firewalls or routers. To do so, however, would also restrict the ability of legitimate users outside of an organization to access terminal services.
The problem is serious, says Edward Ko, a network coordinator with the Pennsylvania State University, because the Terminal Services deployment options in Windows 2000 Server and Windows 2000 Advanced Server are among the most popular features of the operating system.
"Even if you don't have an 'Application Server' license to support a lot of users on Terminal Services, you can deploy [Terminal Services] in 'Remote Administration' mode," he explains, noting that IT managers commonly enable "Remote Administration" mode on Windows 2000 servers in order to let them manage these systems remotely.
"There are still a lot of things that you can't do in Windows 2000 with a command line," he says. "Because of this, integrated Terminal Services were a godsend."
The patch can be found here.
The vulnerability disclosure comes one day after Microsoft issued a fix for a memory leak vulnerability in its Services for Unix 2.0 that affected SFU's implementations of Telnet and the Network File System. Stephen Swoyer
Scott Bekker is editor in chief of Redmond Channel Partner magazine.