NOTE: Two messages are in this file. The newest is first ... From: crawdad@fnal.gov Subject: MS04-011 is now critical for all Windows NT4, 2000, and XP systems Date: April 28, 2004 10:18:12 AM CDT To: pc-manager@fnal.gov Cc: cppm_reg_sysadmins@fnal.gov, computer-security@fnal.gov Universities are reporting automated "worm" exploits attacking the LSASS vulnerability which is part of the recent Microsoft security bulletin MS04-011. Experience tells us that sooner or later someone is sure to carry an infected machine into the site. Consequently, this is now a critical vulnerability for all Windows systems running NT4[*], 2000 or XP and must be patched by May 10. References: http://www.microsoft.com/technet/security/bulletin/MS04-011.mspx http://isc.incidents.org/diary.php?date=2004-04-27 ================================================================ From: crawdad@fnal.gov Subject: MS04-011 is critical for SSL-enabled IIS Windows LDAP servers Date: April 22, 2004 11:48:13 AM CDT To: pc-manager@fnal.gov The SANS Internet Storm center posts this message ... ===== A new IIS SSL Remote Root exploit tool has been released - this has elevated the situation from a DoS situation to root access. Be sure to install the MS04-011 Security Update or be prepared to rebuild the IIS server later. The tool is new so full impact of this one may not be felt for a couple of days. The MS04-011 Update is also important because this particular exploit, now that it's moved to root access, has a very high likelihood of someone writing a new worm (or as the current trend is, patch one of the current worms or bots) to take advantage of this one. ===== Most of the new crop of MS patches will be declared critical, but we are trying not to rush system admins unnecessarily. However, the existence of this remote exploit forces our hand for any Windows machine exposing HTTP/SSL or LDAP/SSL service to the internet. We're still correlating results from the new vulnerability scanner plugins, but the six machines of greatest immediate concern are 131.225.7.80 skyserver.fnal.gov 131.225.7.125 skyserver2.fnal.gov 131.225.7.133 sdsssql002.fnal.gov 131.225.9.3 listserv.fnal.gov 131.225.46.1 tdserver1.fnal.gov 131.225.84.160 csdserver3.fnal.gov Don't ignore other machines, though! The above list is not complete and port 636 - also a vector of attack is not blocked at the border. A deadline for applying these patches to all Windows machines exposing an SSL service (HTTPS or others) will be set as soon as the full extent of the risk is known. The deadline is likely to be short! Matt Crawford Fermilab Computer Security Coordinator +1 630 840 3461 ** Computer security contact line: +1 630 840 2345 **