=====================================================================
                                   CERT-Renater

                        Note d'Information No. 2007/VULN288
_____________________________________________________________________

DATE                      : 11/07/2007

HARDWARE PLATFORM(S)      : /
                                               	
OPERATING SYSTEM(S)       : Windows 2000 Server SP4 et 2003

======================================================================

MS07-039 - Vulnerability in Windows Active Directory Could Allow Remote
Code Execution

Affected Products:

   - Microsoft Windows 2000 Server Service Pack 4
   - Windows Server 2003 Service Pack 1
   - Windows Server 2003 Service Pack 2
   - Windows Server 2003 x64 Edition
   - Windows Server 2003 x64 Edition Service Pack 2
   - Windows Server 2003 with SP1 for Itanium-based Systems
   - Windows Server 2003 with SP2 for Itanium-based Systems


Non-Affected Products:

   - Windows 2000 Professional Service Pack 4
   - Windows XP Service Pack 2
   - Windows XP Professional x64 Edition
   - Windows XP Professional x64 Edition Service Pack 2
   - Windows Vista
   - Windows Vista x64 Edition
   - Active Directory Application Mode (ADAM) Service Pack 1


Full MS07-039 advisory:
   http://www.microsoft.com/technet/security/bulletin/ms07-039.mspx


Vulnerability Details:
	
Windows Active Directory Remote Code Execution Vulnerability - CVE-2007-0040

A remote code execution vulnerability exists in the way that Active
Directory validates a LDAP request. An attacker who successfully
exploited this vulnerability could take complete control of an affected
system.

Windows Active Directory Denial of Service Vulnerability- CVE-2007-3028

A denial of service vulnerability exists in the way that Microsoft
Active Directory validates a client-sent LDAP request. An attacker could
exploit the vulnerability by sending a specially crafted LDAP request to
a server running Active Directory. An attacker who successfully
exploited this vulnerability could cause the server to temporarily stop
responding.


Workaround Details:

Block at the firewall ports: TCP ports 389 and 3268

These ports are used to initiate connections with the affected component.
Blocking these at the enterprise firewall, both inbound and outbound,
will help prevent systems that are behind that firewall from attempts to
exploit this vulnerability. We recommend that you block all unsolicited
inbound communication from the Internet to help prevent attacks that may
use other ports. For more information about ports, visit TCP and UDP
Port Assignments.[1]


References:

  [1] TCP and UDP Port Assignments

http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/cnet/cnfc_por_gdqc.mspx?mfr=true


======================================================================

          =========================================================
          Les serveurs de référence du CERT-Renater
          http://www.urec.fr/securite
          http://www.cru.fr/securite
          http://www.renater.fr
          =========================================================
          + CERT-RENATER          | tel : 01-53-94-20-44          +
          + 151 bd de l'Hopital   | fax : 01-53-94-20-41          +
          + 75013 Paris           | email: certsvp@renater.fr     +
          =========================================================