Home Page | Skip to Navigation | Skip to Content | Skip to Search | Skip to Footer

Microsoft ASN.1 Remote Code Execution (MS04-007)

Attack ID: CPAI-2004-07
Publish Date:
Last Update:
Category: Microsoft Networks
Vulnerable Systems: Microsoft Windows platforms
Source:

Microsoft Security Bulletin MS04-007
Description: A security vulnerability has been discovered in the Microsoft ASN.1 implementation, which can potentially lead to a remote code execution. ASN.1 is a data encoding standard, which is used in many applications and devices for interoperability.
Severity:
Details:

A specially crafted packet sent to a vulnerable machine, may cause an overflow in an unchecked buffer within the Microsoft ASN.1 library, thus allowing arbitrary code execution with System user privileges.

Because of the wide usage of ASN.1, multiple protocols are exposed to this vulnerability.
Attack Detection:

Users of VPN-1 NG with Application Intelligence R55, R55W and InterSpect who have applied the solution outlined below will receive the following logging entries upon attack attempts:

Users of R55W and InterSpect:

Attack Name: MS-ASN.1 Enforcement Violation
Attack Information (may vary):

  • Malformed ASN.1 BitString Syntax Detected
  • Malformed ASN.1 BitString Syntax Detected in SMTP Authentication

    Users of R55:

    A log entry with DROP on rule 4999 will be generated by VPN-1.
Solution: Users of VPN-1 NG with Application Intelligence R55 should update their SmartDefense by pressing the “Update Now” button in the general tab.

To apply the protection, one should do the following:

  1. Inside the SmartDefense tab select Application Intelligence -> Microsoft Networks
  2. Mark “Block ASN.1 BitString encoding attack”
  3. Select which protocols you would like to protect
  4. Install Policy on all modules

SMTP protection:
To apply the protection on SMTP connections:

  1. Inside the SmartDefense tab select Application Intelligence -> Mail
  2. Mark "Block ASN.1 BitString encoding attack over SMTP"
  3. Install Policy on all modules

    Note: The SMTP Security Server already protects against this vulnerability.

HTTP protection:
To apply the protection on HTTP connections:

  1. Inside the SmartDefense tab select Application Intelligence -> Web -> HTTP Protocol Inspection
  2. Mark "Peer to Peer"
  3. Check all 3 ''MS-ASN.1 BitString'' headers
  4. Install Policy on all modules

(You can actually use the ''Install Policy" on all modules as the ending procedure for all of them)

Users deploying SecureClient R55 and above with SCV checks can download the attached local.scv file and integrate it into their system. This file contains a configuration that checks for Microsoft 828028 hotfix, which deals with the discussed vulnerability.

  •  local.scv
    (MD5:B5672FD1B254EB23C33977329A8DB933)

    Users of Check Point Integrity:
  • Install Microsoft patch 828028 from the WindowsUpdate site to remove this vulnerability from the Windows operating system.
  • Review Microsoft Security Bulletin MS04-007.
  • Define a Cooperative Enforcement™ rule within your enterprise policy to ensure protected endpoints have installed Microsoft patch 828028. See Microsoft Security Bulletin MS04-007 for more details.
Industry Reference: CAN-2003-0818
Additional Information: Zone Labs Security Advisory