Home

Microsoft Dynamics GP Multiple (4) Buffer Overflows

Notification Type:	IBM Internet Security Systems Protection Advisory
Notification Date:	June 30, 2008
Notification Version:	1.0

Name:	Microsoft Dynamics GP Multiple (4) Buffer Overflows
Public disclosure/ In the wild date:	June 30, 2008 (vuln disclosure)
CVE:	CVE-2006-5265 and CVE-2006-5266
Description:	The Microsoft Dynamics GP is vulnerable to four heap and stack-based buffer overflows. A remote attacker could overflow the buffer and execute arbitrary code or gain control of the affected system by sending malicious queries to the Distributed Process Server or Distributed Process Manager.
Discoverer:	IBM X-Force

ISS Coverage

Product	Content Version
Proventia Network IDS Proventia Network IPS Proventia Network MFS Proventia Server (Linux) RealSecure Network RealSecure Server Sensor	24.49 or 1.88
Proventia Desktop Proventia Server IPS (Windows)	epu or 1890

Propagation Techniques	ISS Protection	Available
remote exploit	DPS_Magic_Number_DoS DPS_IpAddr_Overflow DPS_String_Overflow	Oct 10, 2006

Detailed Description

Business Impact:	Successful compromise of Microsoft Dynamics GP could expose confidential accounting, financial, and logistics information, information that is often considered extremely sensitive. X-Force has tracked numerous attacks where gaining access to this type of information was the main goal of the attacker. Malicious modification of this information or even denial of service could have a devastating impact on a company’s ability to make accurate estimates of corporate financial performance.
CVSS (for XFID 25840-25843):	Base Score:		10.0
		Access Vector:	Network
		Access Complexity:	Low
		Authentication:	None
		Confidentiality Impact:	Complete
		Integrity Impact:	Complete
		Availability Impact:	Complete

	Adjusted Temporal Score:		7.4
		Exploitability:	Unproven
		Remediation Level:	Official-Fix
		Report Confidence:	Confirmed
Affected Products:	Any version of Great Plains prior to version 10.0 could be impacted. ISS X-Force has confirmed the vulnerabilities in Great Plains version 8 SP3, and the fix was released in Great Plains version 10.0.
Technical Description:	Microsoft Dynamics GP (formerly known as Great Plains) is a software system for managing and integrating finance, e-commerce, logistics, customer relationship, and human resources information in a business. Dynamics GP includes a Distributed Process Server and Manager that can be used to distribute to processing load for certain calculations across a number of different workstations. Distributed Process Server and Manager listen for connections on TCP ports 1352 and 1351 respectively. Messages sent to these services conform to a proprietary protocol. The software copies data sent in this protocol into various heap and stack buffers depending on the context. While all of the data copies are bounded, they are often bounded by a value that is greater then the amount of memory that has been allocated, leading to a potential buffer overflow or denial of service. Four vulnerabilities (XFID 25840, XFID 25841,XFID 25842, and XFID 25843) discovered by IBM X-Force related to this protocol are buffer overflows that allow remote code execution. A fifth issue (XFID 25844), a Denial of Service vulnerability, was also discovered.
Remediation:	Patches are available for this issue. See References for details.

References

XFDB:	http://xforce.iss.net/xforce/xfdb/25840 http://xforce.iss.net/xforce/xfdb/25841 http://xforce.iss.net/xforce/xfdb/25842 http://xforce.iss.net/xforce/xfdb/25843 http://xforce.iss.net/xforce/xfdb/25844
Microsoft:	http://www.microsoft.com/dynamics/gp/product/10.mspx

Revision History

1.0	Initial publication.

* According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an "industry open standard designed to convey vulnerability severity and help to determine urgency and priority of response." IBM PROVIDES THE CVSS SCORES "AS IS" WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall IBM be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

About IBM Security Systems

IBM Security Systems include an extensive portfolio of hardware, software solutions, professional and managed services offerings covering the spectrum of IT and business security risks: people and identity, data and information, application and process, network, server and endpoint and physical infrastructure, empowering clients to innovate and operate their businesses on the most secure infrastructure platforms. Through world-class solutions that address risk across the enterprise, IBM helps organizations build a strong security posture that helps reduce costs, improve service, and manage risk. IBM X-Force(R) Research and Development is one of the most renowned commercial security research and development groups in the world. For more information on how to address today's biggest risks, please visit us at ibm.com/security.