What's your rating of Message Queuing

Microsoft Security Bulletin MS14-062 - Important

  • 9 minutes to read

Vulnerability in Message Queuing Service Could Allow Elevation of Privilege 2993254)

Published: October 14, 2014

Version: 1.0

General information

Brief summary

This security update resolves a publicly disclosed vulnerability in Microsoft Windows. The vulnerability could allow elevation of privilege if an attacker sent a specially crafted input / output control (IOCTL) request to the Message Queuing service. Successful exploitation of this vulnerability could allow full access to the affected system. By default, the Message Queuing component is not installed on the affected operating system versions and can only be activated by a user with administrator rights. Only customers who manually activate the Message Queuing component can be susceptible to this problem.

This security update is rated Important for all supported editions of Windows Server 2003. See the section for more information Affected Software.

The update addresses the vulnerability by changing the way the Message Queuing service validates input data before it is passed to the allocated buffer. For more information about the vulnerability, see the subsection Frequently asked questions (FAQs) for the specific vulnerability later in this bulletin.

Recommendation. Most users have automatic updating turned on and do not need to take any action as this security update will be downloaded and installed automatically. For more information about specific configuration options for automatic updating, see Microsoft Knowledge Base Article 294871. For users who have not enabled automatic updating, you can use the steps in Turn automatic updating on or off to enable automatic updating.

Corporate installations and administrators, as well as end users who want to manually install this security update (including users who have not activated automatic updating), are advised to use update management software to install the update at the earliest opportunity or to check the Microsoft Update Service for updates. The updates are also available from the download locations in the Affected Software table later in this bulletin.

See the section for more instructions Discovery and deployment tools and guides in this bulletin.

Knowledge Base Articles

  • Knowledge Base Articles: 2993254
  • File information: Yes
  • SHA1 / SHA2 hashes: Yes
  • known problems: No

Affected Software

The following software versions or editions are affected. Versions or editions not listed have either reached the end of their support lifecycle or are not affected. Visit the Microsoft Support Lifecycle website to determine the support lifecycle for your software version or edition.

**Operating system** ** Maximum safety impact ** ** Assessment of the overall severity ** ** Replaced Updates **
** Windows Server 2003 **
[Windows Server 2003 Service Pack 2] (https://www.microsoft.com/download/details.aspx?familyid=1464260a-c3a9-436c-b345-e1b64325ab4f) (2993254) Elevation of Privilege High 971032 in [MS09-040] (https://go.microsoft.com/fwlink/?linkid=155979)
[Windows Server 2003 x64 Edition Service Pack 2] (https://www.microsoft.com/download/details.aspx?familyid=fd8c0b32-dd8b-461a-a110-43a076435f77) (2993254) Elevation of Privilege High 971032 in [MS09-040] (https://go.microsoft.com/fwlink/?linkid=155979)
[Windows Server 2003 with SP2 for Itanium-based Systems] (https://www.microsoft.com/download/details.aspx?familyid=b0b35a54-9178-4724-89e2-94cace12abc8) (2993254) Elevation of Privilege High 971032 in [MS09-040] (https://go.microsoft.com/fwlink/?linkid=155979)

Frequently asked questions (FAQs) about this update

I am using an older version of the software described in this security bulletin. What should I do?
The affected software listed in this bulletin have been tested to determine which versions are affected. Other versions are past their support life cycles. For more information on product cycles, see the Microsoft Support Lifecycle website.

Users of older versions of this software should migrate to versions that are supported as soon as possible in order to protect themselves from future vulnerabilities. For information about determining the support lifecycle for your software version, see Choosing a Product for Lifecycle Information. For more information about service packs for these software releases, see Service Pack Lifecycle Support Policy.

Users who require additional support for older software must contact their Microsoft account manager, technical account manager, or their respective Microsoft partner in order to receive support offerings. Customers who do not have an Alliance, Premier, or Authorized contract can contact their local Microsoft sales office. Contact information can be found at the Microsoft Worldwide website. Select your country; a list of phone numbers is displayed. When calling at the number provided, please ask for the Premier Support Regional Sales Manager. For more information, see the Microsoft Support Lifecycle Policy Frequently Asked Questions (FAQ) page.

Severity ratings and vulnerability identifiers

The following severity assessment assumes the maximum potential impact of the vulnerability. For information about the likelihood of the exploitation of the vulnerability, including its severity rating and security impact, within 30 days of the release of this security bulletin, see the Exploitability Index in the October bulletin summary. For more information, see the Microsoft Exploitability Index.

** Assessment of the severity and maximum security impact according to the software concerned **
** Affected software ** ** MQAC Elevation of Privilege Write Anywhere Vulnerability - CVE-2014-4971 ** ** Assessment of the overall severity **
** Windows Server 2003 **
Windows Server 2003 Service Pack 2 (2993254) ** High ** Elevation of Privilege **High**
Windows Server 2003 x64 Edition Service Pack 2 (2993254) ** High ** Elevation of Privilege **High**
Windows Server 2003 with SP2 for Itanium-based Systems (2993254) ** High ** Elevation of Privilege **High**

MQAC Elevation of Privilege Write Any Vulnerability - CVE-2014-4971

A vulnerability exists in the Microsoft Message Queuing Service (MSMQ) that could allow an attacker to elevate the privileges of the affected system.

For information about how to view this vulnerability as the default entry in the Common Vulnerability List, see CVE-2014-4971.

Mitigating factors

Mitigation refers to a setting, common configuration, or general best practice that can exist in a default state that can reduce the severity of a vulnerability's exploitation. The following mitigating factors may be helpful to you:

  • By default, the Message Queuing component is not installed on the affected operating system versions and can only be activated by a user with administrator rights. Only customers who manually activate the Message Queuing component can be susceptible to this problem.
  • An attacker would require valid credentials and be able to log on locally to exploit this vulnerability. The vulnerability cannot be exploited remotely or by anonymous users.

Workarounds

Workaround refers to a setting or configuration change that does not correct the underlying vulnerability but instead blocks known attack vectors before you apply the update. Microsoft has tested the following workarounds and states in the description whether a fix will limit functionality:

Disable the Message Queuing service:

  • Interactive

    Disabling the Message Queuing service will help protect against attacks that are designed to exploit this vulnerability. To disable the Message Queuing service, do the following:

    1. click on begin and then on Control panel. Or point to Settings, and then click Control panel.
    2. Double click administration. Or click on Switch to the classic view, and then double-click administration.
    3. Double click services.
    4. Double click Message queuing.
    5. Click in the list Start type on Disabled.
    6. click on break up and then on OK.  
  • Through the group policy:

    Use the Group Policy settings to disable the Message Queuing service. You can use the Group Policy Object function in Microsoft Windows 2000 or Server 2003 domain environments to disable the start of this service at the local, site, domain or organizational unit level.

    Note: You can also refer to the Windows 2003 Security Guide. This guide provides information on how to disable services. For more information about Group Policy, go to the following websites:

  • You can also stop and disable the MSMQ service by using the following command at the command prompt (available in Windows XP and in the Microsoft Windows 2000 Resource Kit):

This is how you undo the problem circumvention: Use the steps above to set the startup type to Automatic and start the service.

Frequently asked questions (FAQs)

What is the scope of the vulnerability?
This vulnerability could be exploited in a local elevation of privilege.

What causes the vulnerability?
The vulnerability is caused when the Message Queuing service improperly manipulates objects in memory by inadvertently allowing them to be overwritten.

What is Microsoft Message Queuing (MSMQ)?
Microsoft Message Queuing (MSMQ) technology enables applications running at different times to communicate across heterogeneous networks and systems that may be temporarily offline. Applications send messages to queues and read messages from queues. Message Queuing provides guaranteed message delivery, efficient routing, security, and priority-based messaging. It can be used to implement solutions for both asynchronous and synchronous messaging scenarios. For more information, see the Microsoft Message Queuing product documentation.

What is an input / output control (IOCTL)?
Windows enables applications to request services directly from device drivers. The interface through which this is done is an input / output controller, or IOCTL.

What could an attacker use this vulnerability to do?
If an attacker successfully exploited this vulnerability, they could take complete control of the affected system. An attacker could then install programs, view, change or delete data or create new accounts with full user rights.

How would an attacker proceed to exploit this vulnerability?
An attacker could exploit the vulnerability by sending a specially crafted IOCTL request to the Message Queuing service. Successful exploitation of this vulnerability could allow full access to the affected system.

Which systems are primarily at risk from this vulnerability?
Workstations and servers running the Message Queuing service are primarily at risk from this vulnerability.

What does the update do?
The update addresses the vulnerability by changing the way the MSMQ service validates input data before it is passed to the allocated buffer.

At the time this security bulletin was published, was this vulnerability publicly known?
Yes. This vulnerability has been published. She has been assigned the number CVE-2014-4971 for Common Vulnerability.

At the time this security bulletin was published, did Microsoft have any information that this vulnerability had been exploited?
No. At the time this security bulletin was first published, Microsoft had no information that this vulnerability had been publicly used to target users.

Discovery and deployment tools and guides

There are several resources available to help administrators deploy security updates.

  • The Microsoft Baseline Security Analyzer (MBSA) enables administrators to check local and remote systems for missing security updates and for frequently misconfigured security parameters.
  • Windows Server Update Services (WSUS), Systems Management Server (SMS) and System Center Configuration Manager help administrators distribute security updates.
  • The update compatibility assessment components included in the Application Compatibility Toolkit help test and verify the compatibility of Windows updates with installed applications.

For more information about these and other tools available, see Security Tools.

Provision of security updates

Windows Server 2003 (all editions)

Reference table

The following table contains the security update information for this software.

Security update filenamesFor all supported 32-bit editions of Windows Server 2003:
WindowsServer2003-KB2993254-x86-ENU.exe

For all supported x64-based editions of Windows Server 2003:
WindowsServer2003-KB2993254-x64-ENU.exe

For all supported Itanium-based editions of Windows Server 2003:
WindowsServer2003-KB2993254-ia64-ENU.exe
Installation optionsSee Microsoft Knowledge Base Article 934307
Update log fileKB2993254.log
Restart requestYes, you will have to restart the system after installing this security update.
Uninstall informationUse the option software in the Control panel or the Spuninst.exe utility in the% Windir% \ $ NTUninstallKB2993254 $ \ Spuninst folder.
File informationSee Microsoft Knowledge Base Article 2993254
Verification of the registry keyHKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ Updates \ Windows Server 2003 \ SP3 \ KB2993254 \ Filelist
More information: ---------------------- ### Microsoft Active Protections Program (MAPP) To improve security protection for users, Microsoft has introduced major security software vendors to the The monthly publication of the security updates provides information about the security vulnerabilities. Security software vendors can then use this vulnerability information to provide users with updated protection about their security software or devices; B. Antivirus, network-based intrusion detection systems or host-based intrusion prevention systems. To find out if active protection is available from the security software vendors, visit the Active Protections websites provided by the program partners under [Microsoft Active Protections Program (MAPP)] (https://go.microsoft.com/ fwlink /? linkid = 215201) are listed. ### Support ** How to get help and support for this security update ** - Help with installing updates: [Support for Microsoft Update] (https://support.microsoft.com/gp/windows-update-issues/de -de) - Security solutions for IT experts: [TechNet Security - Troubleshooting and Support] (https://technet.microsoft.com/de-de/security/bb980617.aspx) - How to protect your computer running Windows against viruses and malicious software: [Virus solution and Security Center] (https://support.microsoft.com/contactus/cu_sc_virsec_master) - Local support according to your country: [International Support] (https://support.microsoft.com /common/international.aspx) ### Disclaimer The information in the Microsoft Knowledge Base is provided as is and without any warranty of any kind. Microsoft disclaims all other warranties, whether express or implied, including those of merchantability or fitness for a particular purpose. In no event shall Microsoft Corporation and / or its respective suppliers be liable for damages of any kind, including direct, indirect, incidental, consequential, loss of profit, or special damages, even if Microsoft Corporation and / or their respective Suppliers have been advised of the potential for this damage. Because some states / jurisdictions do not allow the exclusion or limitation of liability for incidental or consequential damages, the above limitation may not apply to you. ### Revisions - V1.0 (October 14, 2014): Bulletin published. * Page generated on 07.10.2014 at 14: 53Z-07: 00. *