Guest

Cisco Unity

Field Notice: Cisco Unity - ASN.1 Vulnerability Could Allow Code Execution - Microsoft Security Bulletin MS04-007


February 20, 2004


Products Affected

Cisco Unity - all versions

Problem Description

A security vulnerability exists in the Microsoft ASN.1 Library that could allow code execution on an affected system. The vulnerability is caused by an unchecked buffer in the Microsoft ASN.1 Library, which could result in a buffer overflow. An attacker who successfully exploits this buffer overflow vulnerability could execute code with system privileges on an affected system. The attacker could then take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts with full privileges.

Abstract Syntax Notation 1 (ASN.1) is a data standard that is used by many applications and devices in the technology industry for allowing the normalization and understanding of data across various platforms. More information about ASN.1 can be found in Microsoft Knowledge Base Article 252648.

Background

Systems Affected:

  • Microsoft Windows NT 4.0 (all versions)

  • Microsoft Windows 2000 (SP3 and earlier)

Problem Symptoms

This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could gain complete control over an affected system. An attacker could take any action on the system, including installing programs, viewing data, changing data, deleting data, or creating new accounts with full privileges.

Workaround/Solution

Microsoft has released a patch for these vulnerabilities which on the Microsoft Security Bulletin MS04-007 page.

Windows 2000 (all versions)Prerequisites:

For Windows 2000 this security update requires Service Pack 2 (SP2), Service Pack 3 (SP3), or Service Pack 4 (SP4).

Windows NT 4.0 (all versions) Prerequisites:

This security update requires Windows NT Workstation 4.0 Service Pack 6a (SP6a), Windows NT Server 4.0 Service Pack 6a (SP6a), or Windows NT Server 4.0 Terminal Server Edition Service Pack 6 (SP6).

The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security update support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version.

Other Considerations

Restart Requirement: You must restart your computer after you apply this security update.

For More Information

If you require further assistance, or if you have any further questions regarding this field notice, please contact the Cisco Systems Technical Assistance Center (TAC) by one of the following methods:

Receive Email Notification For New Field Notices

Product Alert Tool - Set up a profile to receive email updates about reliability, safety, network security, and end-of-sale issues for the Cisco products you specify.