Vulnerability: MS09-018 - Vulnerabilities in Active Directory Could Allow Remote Code Execution

CVE-2009-1138, CVE-2009-1139

Users are advised to apply the vendor patch for MS09-018 .

This security update resolves two privately reported vulnerabilities in implementations of Active Directory on Microsoft Windows 2000 Server and Windows Server 2003, and Active Directory Application Mode (ADAM) when installed on Windows XP Professional and Windows Server 2003. The more severe vulnerability could allow remote code execution. An attacker who successfully exploited this vulnerability could take complete control of an affected system remotely. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.

This vulnerability may allow malicious attacker to take control over a Windows based server remotely by sending a malformed LDAP request. All users are advised to apply the security patch immediately for all servers exposed to external netorks. 

Since potential attacks are likely to come from external network system administrators are advised to configure firewalls to block inbound traffic on TCP ports 389, 636, 3268 and 3269.

At the time of writing SophosLabs has seen no samples of malware attempting to exploit this vulnerability. Should this situation change samples will be analysed and we will take action as necessary.

Windows Server 2000
Windows Server 2003

http://www.microsoft.com/technet/security/Bulletin/ms09-018.mspx
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1138
http://www.cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-1139

Microsoft MAPP program

9 June 2009 - initial analysis written