Why we’re critical on MS08-001

On January 24, 2008, in Security, by

Last night MS08-001 kicked SBS to “critical”
on this patch and the reason is we’re running WINS on
our boxes (along with the kitchen sink software and all that)

You may want to run netsh int ip show joins on your
systems that are NOT SBS to see if you are critical rather than important
and you are broadcasting multicast in your servers.

http://blogs.technet.com/swi/archive/2008/01/10/MS08_2D00_001-_2D00_-The-case-of-the-missing-Windows-Server-2003-attack-vector.aspx
Question 2: How can I tell whether my Windows Server
2003 machine is vulnerable?

Answer: If the server joins to any multicast group
other than 224.0.0.1, then it is vulnerable to
IGMPattack.

Using the following netshcommand will show the
multicast groups to which the machine is joined.

netsh int ip show joins

For example, if the WINS component is enabled in Win2k3
server, the output of the netsh commandabove would be:

Interface Addr MulticastGroup

————— —————

10.1.1.1 224.0.0.1
10.1.1.1 224.0.1.24

224.0.1.24 is IP multicast group for WINS. The
configuration above (if unpatched) is vulnerable to
the IGMP attack.

http://blogs.technet.com/swi

On a SBS box (any version not just SP2) you will see your
internal IP and then the following:
 netsh int ip show joins
You’ll most likely get UNLESS you are Steve Foster and
have your SBS box set up without WINS which is possible…
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
Interface Addr   Multicast Group
—————  —————
192.168.16.2     224.0.0.1
192.168.16.2     224.0.0.2
192.168.16.2     224.0.1.24
192.168.16.2     239.255.255.254
192.168.1.4      224.0.0.1
192.168.1.4      224.0.0.2
SBS 2003 sp1, R2, SP2 even RTM we’re all running WINS and 
thus now rated critical.
With WINS typically not being externally exposed they will
still have to wiggle in but it’s important to understand WHY we’re rated
critical for this and why normal Windows 2003 server is not.
On the ActiveDir list, David Loder indicated that IBM Director Agent
software also is broadcasting this. So even non SBS shops may
want to run that command to see if they are “critical” rather
than just important.

 

One Response to Why we’re critical on MS08-001

  1. matt katzer says:

    After readignhte blog postings etc. if you apply the patch, how do you determine that the problem has gone away?