[thelist] Windows Note: *New* RPC Patch

[Anthony Baratta]

This supercedes the last patch and the previous patch does not protect you 
from newly discovered vulnerabilities.

Patch up folks!!

>From: CERT Advisory <cert-advisory at cert.org>
>To: cert-advisory at cert.org
>Organization: CERT(R) Coordination Center - +1 412-268-7090
>Subject: CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows
>
>    Original release date: September 10, 2003
>    Last revised: --
>    Source: CERT/CC
>
>    A complete revision history can be found at the end of this file.
>
>Systems Affected
>
>      * Microsoft Windows NT Workstation 4.0
>      * Microsoft Windows NT Server 4.0
>      * Microsoft Windows NT Server 4.0, Terminal Server Edition
>      * Microsoft Windows 2000
>      * Microsoft Windows XP
>      * Microsoft Windows Server 2003
>
>Overview
>
>    Microsoft  has  published  a bulletin describing three vulnerabilities
>    that  affect  numerous  versions  of  Microsoft  Windows. Two of these
>    vulnerabilities  are  remotely  exploitable  buffer overflows that may
>    allow  an  attacker  to execute arbitrary code with system privileges.
>    The  third vulnerability may allow a remote attacker to cause a denial
>    of service.
>
>I. Description
>
>    The  Microsoft  RPCSS  Service  is  responsible  for  managing  Remote
>    Procedure   Call   (RPC)  messages.  There  are  two  buffer  overflow
>    vulnerabilities  in  the RPCSS service, which is enabled by default on
>    many  versions  of  Microsoft Windows. These buffer overflows occur in
>    sections  of  code  that  handle  DCOM activation messages sent to the
>    RPCSS service.
>
>    The  CERT/CC  is  tracking  these  vulnerabilities  as  VU#483492  and
>    VU#254236,  which  correspond  to  CVE  candidates  CAN-2003-0715  and
>    CAN-2003-0528,  respectively.  The  buffer overflows discussed in this
>    advisory are different than those discussed in previous advisories.
>
>    Microsoft has also published information regarding a denial-of-service
>    vulnerability  in  the  RPCSS service. This vulnerability only affects
>    Microsoft Windows 2000 systems.
>
>    The  CERT/CC  is  tracking  this  vulnerability  as  VU#326746,  which
>    corresponds  to  CVE  candidate  CAN-2003-0605. This vulnerability was
>    previously discussed in CA-2003-19.
>
>II. Impact
>
>    By  exploiting  either  of the buffer overflow vulnerabilities, remote
>    attackers  may  be  able  to  execute arbitrary code with Local System
>    privileges.
>
>    By  exploiting  the  denial-of-service vulnerability, remote attackers
>    may  be  able to disrupt the RPCSS service. This may result in general
>    system instability and require a reboot.
>
>III. Solution
>
>Apply a patch from Microsoft
>
>    Microsoft  has  published  Microsoft  Security  Bulletin  MS03-039  to
>    address this vulnerability. For more information, please see
>
>      http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
>
>    This bulletin supersedes MS03-026.
>
>Block traffic to and from common Microsoft RPC ports
>
>    As  an  interim  measure,  users  can  reduce the chance of successful
>    exploitation  by blocking traffic to and from well-known Microsoft RPC
>    ports, including
>      * Port 135 (tcp/udp)
>      * Port 137 (udp)
>      * Port 138 (udp)
>      * Port 139 (tcp)
>      * Port 445 (tcp/udp)
>      * Port 593 (tcp)
>
>    To  prevent  compromised hosts from contacting other vulnerable hosts,
>    the  CERT/CC  recommends  that  system administrators filter the ports
>    listed above for both incoming and outgoing traffic.
>
>Disable COM Internet Services and RPC over HTTP
>
>    COM  Internet  Services (CIS) is an optional component that allows RPC
>    messages  to  be  tunneled  over  HTTP ports 80 and 443. As an interim
>    measure,  sites  that use CIS may wish to disable it as an alternative
>    to blocking traffic to and from ports 80 and 443.
>
>Disable DCOM
>
>    Disable  DCOM  as  described  in MS03-039 and Microsoft Knowledge Base
>    Article 825750.
>      _________________________________________________________________
>
>    This  document  was  written by Jeffrey P. Lanza and is based upon the
>    information in MS03-039.
>    ______________________________________________________________________
>
>    This document is available from:
>    http://www.cert.org/advisories/CA-2003-23.html
>    ______________________________________________________________________
>
>CERT/CC Contact Information
>
>    Email: cert at cert.org
>           Phone: +1 412-268-7090 (24-hour hotline)
>           Fax: +1 412-268-6989
>           Postal address:
>           CERT Coordination Center
>           Software Engineering Institute
>           Carnegie Mellon University
>           Pittsburgh PA 15213-3890
>           U.S.A.
>
>    CERT/CC   personnel   answer  the  hotline  08:00-17:00  EST(GMT-5)  /
>    EDT(GMT-4)  Monday  through  Friday;  they are on call for emergencies
>    during other hours, on U.S. holidays, and on weekends.
>
>Using encryption
>
>    We  strongly  urge you to encrypt sensitive information sent by email.
>    Our public PGP key is available from
>    http://www.cert.org/CERT_PGP.key
>
>    If  you  prefer  to  use  DES,  please  call the CERT hotline for more
>    information.
>
>Getting security information
>
>    CERT  publications  and  other security information are available from
>    our web site
>    http://www.cert.org/
>
>    To  subscribe  to  the CERT mailing list for advisories and bulletins,
>    send  email  to majordomo at cert.org. Please include in the body of your
>    message
>
>    subscribe cert-advisory
>
>    *  "CERT"  and  "CERT  Coordination Center" are registered in the U.S.
>    Patent and Trademark Office.
>    ______________________________________________________________________
>
>    NO WARRANTY
>    Any  material furnished by Carnegie Mellon University and the Software
>    Engineering  Institute  is  furnished  on  an  "as is" basis. Carnegie
>    Mellon University makes no warranties of any kind, either expressed or
>    implied  as  to  any matter including, but not limited to, warranty of
>    fitness  for  a  particular purpose or merchantability, exclusivity or
>    results  obtained from use of the material. Carnegie Mellon University
>    does  not  make  any warranty of any kind with respect to freedom from
>    patent, trademark, or copyright infringement.
>    ______________________________________________________________________
>
>    Conditions for use, disclaimers, and sponsorship information
>
>    Copyright 2003 Carnegie Mellon University.
>
>    Revision History
>Sep 10, 2003:  Initial release
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 6.5.8
>
>iQCVAwUBP1+NqTpmH2w9K/0VAQHUbwP/aQ8osvAzy2BswiPOpLFoUhC4GIjdtXcx
>mGcVDXyVcu4v4pKym8+ojIrQhdWKwOt9ZL8+RSaq8IMjUgE11BX5zA1/1WZhkE7p
>hlu+HDTkDc5WvFrNqbChrC3gX2fgjI9hjx361SXuhgXAxI5nLz2of50pb+GxPWvA
>ZQJp4ymyuyI=
>=A+8F
>-----END PGP SIGNATURE-----