MS01-024: Malformed Request to Domain Controller Can Cause Memory Exhaustion View products that this article applies to. Article ID : 294391 Last Review : June 16, 2004 Revision : 3.0 This article was previously published under Q294391 On This Page SYMPTOMS Mitigating Factors RESOLUTION STATUS MORE INFORMATION APPLIES TO SYMPTOMS A core service that runs on all Windows 2000 domain controllers (but not on any other computers), contains a memory leak that can be triggered when the service attempts to process a certain type of invalid service request. By repeatedly sending such a request, an attacker could deplete the available memory on the server. If memory were sufficiently depleted, the domain controller (DC) could become unresponsive, which would prevent it from processing logon requests or issuing new Kerberos tickets. Note that an affected computer could be restored to service by rebooting. Back to the top Mitigating Factors • Users who were already logged on and using previously-issued Kerberos tickets would not be affected by DC unavailability. • If there were multiple DCs on the domain, the unaffected computers could pick up the other computer's load. • If normal security practices have been followed, Internet users would be prevented (by use of firewalls and other measures) from levying requests directly to DCs. Back to the top RESOLUTION To resolve this problem, obtain the latest service pack for Windows 2000. For additional information, click the following article number to view the article in the Microsoft Knowledge Base: 260910 (http://support.microsoft.com/kb/260910/EN-US/) How to Obtain the Latest Windows 2000 Service Pack The English version of this fix should have the following file attributes or later: Date Time Version Size File name ---------------------------------------------------------------------- 6/27/2001 12:19p 5.0.2195.3787 501,520 Lsasrv.dll (56-bit) 6/27/2001 01:53p 5.0.2195.3787 355,088 Advapi32.dll 6/27/2001 01:50p 5.0.2195.3787 519,440 Instlsa5.dll 6/27/2001 01:53p 5.0.2195.3787 143,120 Kdcsvc.dll 6/26/2001 08:15p 5.0.2195.3781 197,392 Kerberos.dll 6/26/2001 08:16p 5.0.2195.3781 69,456 Ksecdd.sys 6/27/2001 12:20p 5.0.2195.3787 501,520 Lsasrv.dll 6/26/2001 08:16p 5.0.2195.3781 33,552 Lsass.exe 6/27/2001 01:53p 5.0.2195.3781 909,072 Ntdsa.dll 6/27/2001 01:53p 5.0.2195.3781 382,224 Samsrv.dll 6/27/2001 01:53p 5.0.2195.3781 128,784 Scecli.dll 6/27/2001 01:53p 5.0.2195.3649 299,792 Scesrv.dll Back to the top STATUS Microsoft has confirmed that this problem may cause a degree of security vulnerability in Windows 2000. This problem was first corrected in Windows 2000 Service Pack 3. Back to the top MORE INFORMATION For more information about this vulnerability, please see the following Microsoft Web site: http://www.microsoft.com/technet/security/bulletin/MS01-024.mspx (http://www.microsoft.com/technet/security/bulletin/ms01-024.mspx) For additional information about how to obtain a hotfix for Windows 2000 Datacenter Server, click the article number below to view the article in the Microsoft Knowledge Base: 265173 (http://support.microsoft.com/kb/265173/EN-US/) The Datacenter Program and Windows 2000 Datacenter Server Product For additional information about how to install multiple hotfixes with only one reboot, click the article number below to view the article in the Microsoft Knowledge Base: 296861 (http://support.microsoft.com/kb/296861/EN-US/) Use QChain.exe to Install Multiple Hotfixes with One Reboot Back to the top -------------------------------------------------------------------------------- APPLIES TO • Microsoft Windows 2000 Service Pack 1 • Microsoft Windows 2000 Service Pack 2 • Microsoft Windows 2000 Advanced Server SP1 • Microsoft Windows 2000 Advanced Server SP2