| VID |
28028 |
| Severity |
30 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The Windows Registry Key 'HKLM\CurrentControlSet\Control\SecurePipeServers\winreg' is writable by non-administrators. The Security permissions set on this key define what Users or Groups can connect to the system for remote Registry access.
Default installations of Microsoft Windows NT 3.51 and Windows NT 4.0 Service Pack 3 priors allow anyone to remotely connect to the registry. And also the installation software of Microsoft Exchange Server 2000 sets this key to a world-writable mode. Remote attackers can exploit this issue to make modifications to the registry.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://www.microsoft.com/technet/security/bulletin/MS02-003.asp
http://support.microsoft.com/default.aspx?scid=KB;en-us;q153183
http://www.securityfocus.com/bid/6830
http://www.iss.net/security_center/static/151.php
* Platforms Affected:
Microsoft Exchange 2000
Windows NT Any version |
| Recommendation |
Apply the patch for this vulnerability. The patch only removes the "Everyone" group's permissions on the WinReg key. All other Registry permissions remain intact.
For Windows NT:
Apply the latest Windows NT 4.0 Service Pack (SP4 or later), available from the Windows NT Service Packs Web page, http://support.microsoft.com/support/ntserver/Content/ServicePacks/
For Microsoft Exchange Server 2000:
Apply the patch for this vulnerability, as listed in Microsoft Security Bulletin MS02-003, http://www.microsoft.com/technet/security/bulletin/MS02-003.asp
-- AND --
Using the registry editor, apply permissions to allow access to Administrators only for the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg. If this key is not present, create it, then apply permissions.
To restrict registry access:
1. Open Registry Editor. From the Windows NT/2000 Start menu, select Run, type regedt32, and click OK.
2. Go to the HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\Winreg registry key.
3. From the Security menu, select Permissions to display the Registry Key Permissions dialog box.
4. Review the listed permissions and apply permissions to allow users remote registry access. The default configuration for Windows permits only Administrators remote access to the Registry. In Windows 2000 and later, only Administrators and Backup Operators have default network access to the registry.
5. Exit Registry Editor and restart Windows. |
| Related URL |
CVE-1999-0562,CVE-2002-0049 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
(ISS) |
|
