[thelist] Windows Note: *New* RPC Patch
Anthony Baratta
Anthony at Baratta.com
Wed Sep 10 16:46:35 CDT 2003
This supercedes the last patch and the previous patch does not protect you
from newly discovered vulnerabilities.
Patch up folks!!
>From: CERT Advisory <cert-advisory at cert.org>
>To: cert-advisory at cert.org
>Organization: CERT(R) Coordination Center - +1 412-268-7090
>Subject: CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows
>
>-----BEGIN PGP SIGNED MESSAGE-----
>
>CERT Advisory CA-2003-23 RPCSS Vulnerabilities in Microsoft Windows
>
> Original release date: September 10, 2003
> Last revised: --
> Source: CERT/CC
>
> A complete revision history can be found at the end of this file.
>
>Systems Affected
>
> * Microsoft Windows NT Workstation 4.0
> * Microsoft Windows NT Server 4.0
> * Microsoft Windows NT Server 4.0, Terminal Server Edition
> * Microsoft Windows 2000
> * Microsoft Windows XP
> * Microsoft Windows Server 2003
>
>Overview
>
> Microsoft has published a bulletin describing three vulnerabilities
> that affect numerous versions of Microsoft Windows. Two of these
> vulnerabilities are remotely exploitable buffer overflows that may
> allow an attacker to execute arbitrary code with system privileges.
> The third vulnerability may allow a remote attacker to cause a denial
> of service.
>
>I. Description
>
> The Microsoft RPCSS Service is responsible for managing Remote
> Procedure Call (RPC) messages. There are two buffer overflow
> vulnerabilities in the RPCSS service, which is enabled by default on
> many versions of Microsoft Windows. These buffer overflows occur in
> sections of code that handle DCOM activation messages sent to the
> RPCSS service.
>
> The CERT/CC is tracking these vulnerabilities as VU#483492 and
> VU#254236, which correspond to CVE candidates CAN-2003-0715 and
> CAN-2003-0528, respectively. The buffer overflows discussed in this
> advisory are different than those discussed in previous advisories.
>
> Microsoft has also published information regarding a denial-of-service
> vulnerability in the RPCSS service. This vulnerability only affects
> Microsoft Windows 2000 systems.
>
> The CERT/CC is tracking this vulnerability as VU#326746, which
> corresponds to CVE candidate CAN-2003-0605. This vulnerability was
> previously discussed in CA-2003-19.
>
>II. Impact
>
> By exploiting either of the buffer overflow vulnerabilities, remote
> attackers may be able to execute arbitrary code with Local System
> privileges.
>
> By exploiting the denial-of-service vulnerability, remote attackers
> may be able to disrupt the RPCSS service. This may result in general
> system instability and require a reboot.
>
>III. Solution
>
>Apply a patch from Microsoft
>
> Microsoft has published Microsoft Security Bulletin MS03-039 to
> address this vulnerability. For more information, please see
>
> http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
>
> This bulletin supersedes MS03-026.
>
>Block traffic to and from common Microsoft RPC ports
>
> As an interim measure, users can reduce the chance of successful
> exploitation by blocking traffic to and from well-known Microsoft RPC
> ports, including
> * Port 135 (tcp/udp)
> * Port 137 (udp)
> * Port 138 (udp)
> * Port 139 (tcp)
> * Port 445 (tcp/udp)
> * Port 593 (tcp)
>
> To prevent compromised hosts from contacting other vulnerable hosts,
> the CERT/CC recommends that system administrators filter the ports
> listed above for both incoming and outgoing traffic.
>
>Disable COM Internet Services and RPC over HTTP
>
> COM Internet Services (CIS) is an optional component that allows RPC
> messages to be tunneled over HTTP ports 80 and 443. As an interim
> measure, sites that use CIS may wish to disable it as an alternative
> to blocking traffic to and from ports 80 and 443.
>
>Disable DCOM
>
> Disable DCOM as described in MS03-039 and Microsoft Knowledge Base
> Article 825750.
> _________________________________________________________________
>
> This document was written by Jeffrey P. Lanza and is based upon the
> information in MS03-039.
> ______________________________________________________________________
>
> This document is available from:
> http://www.cert.org/advisories/CA-2003-23.html
> ______________________________________________________________________
>
>CERT/CC Contact Information
>
> Email: cert at cert.org
> Phone: +1 412-268-7090 (24-hour hotline)
> Fax: +1 412-268-6989
> Postal address:
> CERT Coordination Center
> Software Engineering Institute
> Carnegie Mellon University
> Pittsburgh PA 15213-3890
> U.S.A.
>
> CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) /
> EDT(GMT-4) Monday through Friday; they are on call for emergencies
> during other hours, on U.S. holidays, and on weekends.
>
>Using encryption
>
> We strongly urge you to encrypt sensitive information sent by email.
> Our public PGP key is available from
> http://www.cert.org/CERT_PGP.key
>
> If you prefer to use DES, please call the CERT hotline for more
> information.
>
>Getting security information
>
> CERT publications and other security information are available from
> our web site
> http://www.cert.org/
>
> To subscribe to the CERT mailing list for advisories and bulletins,
> send email to majordomo at cert.org. Please include in the body of your
> message
>
> subscribe cert-advisory
>
> * "CERT" and "CERT Coordination Center" are registered in the U.S.
> Patent and Trademark Office.
> ______________________________________________________________________
>
> NO WARRANTY
> Any material furnished by Carnegie Mellon University and the Software
> Engineering Institute is furnished on an "as is" basis. Carnegie
> Mellon University makes no warranties of any kind, either expressed or
> implied as to any matter including, but not limited to, warranty of
> fitness for a particular purpose or merchantability, exclusivity or
> results obtained from use of the material. Carnegie Mellon University
> does not make any warranty of any kind with respect to freedom from
> patent, trademark, or copyright infringement.
> ______________________________________________________________________
>
> Conditions for use, disclaimers, and sponsorship information
>
> Copyright 2003 Carnegie Mellon University.
>
> Revision History
>Sep 10, 2003: Initial release
>
>-----BEGIN PGP SIGNATURE-----
>Version: PGP 6.5.8
>
>iQCVAwUBP1+NqTpmH2w9K/0VAQHUbwP/aQ8osvAzy2BswiPOpLFoUhC4GIjdtXcx
>mGcVDXyVcu4v4pKym8+ojIrQhdWKwOt9ZL8+RSaq8IMjUgE11BX5zA1/1WZhkE7p
>hlu+HDTkDc5WvFrNqbChrC3gX2fgjI9hjx361SXuhgXAxI5nLz2of50pb+GxPWvA
>ZQJp4ymyuyI=
>=A+8F
>-----END PGP SIGNATURE-----
More information about the thelist
mailing list