[VIM] Various CVE's for Windows 2000 SP4 update Rollup 1

Steven M. Christey coley at mitre.org
Thu Oct 6 01:31:58 EDT 2005 

FYI, I slogged through Microsoft KB article 900345 for the Update
Rollup 1 for Microsoft Windows 2000 Service Pack 4 and found 10
security-relevant issues.  There might be more than that, but these
were the ones that were clearly security-relevant.

- Steve



======================================================
Candidate: CAN-2005-3168
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3168
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:834424
Reference: URL:http://support.microsoft.com/kb/834424/

The SECEDIT command on Microsoft Windows 2000 before Update Rollup 1
for SP4, when using a security template to set Access Control Lists
(ACLs) on folders, does not apply ACLs on folders that are listed
after a long folder entry, which could result in less secure
permissions than specified by the template.


======================================================
Candidate: CAN-2005-3169
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3169
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:833873
Reference: URL:http://support.microsoft.com/kb/833873

Microsoft Windows 2000 before Update Rollup 1 for SP4, when the "audit
directory service access" policy is enabled, does not record a 565
event message for File Delete Child operations on an Active Directory
object in the security event log, which could allow attackers to
conduct unauthorized activities without detection.


======================================================
Candidate: CAN-2005-3170
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3170
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:883639
Reference: URL:http://support.microsoft.com/kb/883639

The LDAP client on Microsoft Windows 2000 before Update Rollup 1 for
SP4 accepts certificates using LDAP Secure Sockets Layer (LDAPS) even
when the Certificate Authority (CA) is not trusted, which could allow
attackers to trick users into believing that they are accessing a
trusted site.


======================================================
Candidate: CAN-2005-3171
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3171
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:884559
Reference: URL:http://support.microsoft.com/kb/884559

Microsoft Windows 2000 before Update Rollup 1 for SP4 records Event ID
1704 to indicate that Group Policy security settings were successfully
updated, even when the processing fails such as when Ntuser.pol cannot
be accessed, which could cause system administrators to believe that
the system is compliant with the specified settings.


======================================================
Candidate: CAN-2005-3172
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3172
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:824867
Reference: URL:http://support.microsoft.com/kb/824867

The WideCharToMultiByte function in Microsoft Windows 2000 before
Update Rollup 1 for SP4 does not properly convert strings with
Japanese composite characters in the last character, which could
prevent the string from being null terminated and lead to data
corruption or enable buffer overflow attacks.


======================================================
Candidate: CAN-2005-3173
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3173
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:821102
Reference: URL:http://support.microsoft.com/kb/821102

Microsoft Windows 2000 before Update Rollup 1 for SP4 does not apply
group policies if the user logs on using UPN credentials with a
trailing dot, which prevents Windows 2000 from finding the correct
domain controller and could allow the user to bypass intended
restrictions.


======================================================
Candidate: CAN-2005-3174
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3174
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:830847
Reference: URL:http://support.microsoft.com/kb/830847

Microsoft Windows 2000 before Update Rollup 1 for SP4 allows users to
log on to the domain, even when their password has expired, if the
fully qualified domain name (FQDN) is 8 characters long.


======================================================
Candidate: CAN-2005-3175
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3175
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:842742
Reference: URL:http://support.microsoft.com/kb/842742

Microsoft Windows 2000 before Update Rollup 1 for SP4 allows a local
administrator to unlock a computer even if it has been locked by a
domain administrator, which allows the local administrator to access
the session as the domain administrator.


======================================================
Candidate: CAN-2005-3176
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3176
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:891076
Reference: URL:http://support.microsoft.com/kb/891076

Microsoft Windows 2000 before Update Rollup 1 for SP4 does not record
the IP address of a Windows Terminal Services client in a security log
event if the client connects successfully, which could make it easier
for attackers to escape detection.


======================================================
Candidate: CAN-2005-3177
URL: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2005-3177
Reference: MSKB:900345
Reference: URL:http://support.microsoft.com/kb/900345
Reference: MSKB:831375
Reference: URL:http://support.microsoft.com/kb/831375
Reference: MSKB:831374
Reference: URL:http://support.microsoft.com/kb/831374

CHKDSK in Microsoft Windows 2000 before Update Rollup 1 for SP4,
Windows XP, and Windows Server 2003, when running in fix mode, does
not properly handle security descriptors if the master file table
contains a large number of files or if the descriptors do not satisfy
certain NTFS conventions, which could cause ACLs for some files to be
reverted to less secure defaults, or cause security descriptors to be
removed.

More information about the VIM mailing list