Released: 11 December 2002
Revised: 22 January 2003 (version 2.0) Software: Microsoft Windows 2000 / Microsoft Windows XP
Impact: Modify group policy
Max Risk: Moderate Subsequent to releasing this bulletin it was determined that the fix was not included in Microsoft Windows XP Service Pack 1. The bulletin has been updated to reflect this, and the patch had been updated so that it installs on Windows XP Service Pack 1 systems. Customers who are currently running XP Service Pack 1 should apply the patch.
Server Message Block (SMB) is a protocol natively supported by all versions of Windows. Although nominally a file-sharing protocol, it is used for other purposes as well, the most important of which is disseminating group policy information from domain controllers to newly logged on systems. Beginning with Windows 2000, it is possible to improve the integrity of SMB sessions by digitally signing all packets in a session. Windows 2000 and Windows XP can be configured to always sign, never sign, or sign only if the other party requires it. A flaw in the implementation of SMB Signing in Windows 2000 and Windows XP could enable an attacker to silently downgrade the SMB Signing settings on an affected system. To do this, the attacker would need access to the session negotiation data as it was exchanged between a client and server, and would need to modify the data in a way that exploits the flaw. This would cause either or both systems to send unsigned data regardless of the signing policy the administrator had set. After having downgraded the signing setting, the attacker could continue to monitor the session and change data within it; the lack of signing would prevent the communicants from detecting the changes. Download Patch
Revised: 22 January 2003 (version 2.0) Software: Microsoft Windows 2000 / Microsoft Windows XP
Impact: Modify group policy
Max Risk: Moderate Subsequent to releasing this bulletin it was determined that the fix was not included in Microsoft Windows XP Service Pack 1. The bulletin has been updated to reflect this, and the patch had been updated so that it installs on Windows XP Service Pack 1 systems. Customers who are currently running XP Service Pack 1 should apply the patch.
Server Message Block (SMB) is a protocol natively supported by all versions of Windows. Although nominally a file-sharing protocol, it is used for other purposes as well, the most important of which is disseminating group policy information from domain controllers to newly logged on systems. Beginning with Windows 2000, it is possible to improve the integrity of SMB sessions by digitally signing all packets in a session. Windows 2000 and Windows XP can be configured to always sign, never sign, or sign only if the other party requires it. A flaw in the implementation of SMB Signing in Windows 2000 and Windows XP could enable an attacker to silently downgrade the SMB Signing settings on an affected system. To do this, the attacker would need access to the session negotiation data as it was exchanged between a client and server, and would need to modify the data in a way that exploits the flaw. This would cause either or both systems to send unsigned data regardless of the signing policy the administrator had set. After having downgraded the signing setting, the attacker could continue to monitor the session and change data within it; the lack of signing would prevent the communicants from detecting the changes. Download Patch
