Threat Level: green Handler on Duty: Daniel Wesemann

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft Windows RPCSS Vulnerability Update

Published: 2003-09-11
Last Updated: 2003-09-12 14:56:55 UTC
by Handlers (Version: 1)
0 comment(s)
Several groups are working on an exploit for this vulnerability. Expect a working exploit to be published and used within the next few days. We did compile a set of power point slides for IT managers to illustrate the most important facts of this issue:

PDF: http://isc.sans.org/presentations/MS03-039.pdf

Power Point: http://isc.sans.org/presentations/MS03-039.ppt

This vulnerability is NOT PATCHED by the RPC DCOM patch (MS03-026)

The RPCSS patch (MS03-039) has been made available on Sept. 10th (Wednesday). No patch prior to this date fixed this issue. While this is an RPC issue, it is a new and different issue as the one released in July.

You must patch as soon as possible

We expect an exploit in widespread use shortly. At this point, you should be able to patch while assuming that the machine has not yet been compromised. However, within a few days this may no longer be the case and you will have to validate the system's integrity.

The patch for MS03-039 (RPCSS) does include the july patch for MS03-026 (RPC DCOM).

Workarounds

There are two workarounds. You can avoid exploitation by this vulnerability by applying firewall rules. In particular if you are using a host based ("Personal") firewall. For network firewalls, make sure no hosts are moved into the same zone with unpatched machines. We recommend setting up a "laptop quarantine" to avoid the introduction of malware from the outside of the network.

In order to protect unpatched systems, you should close the following ports:

UDP 135, 137, 138, 445

TCP 135, 139, 445, 593

Other ports may be used as well depending on additional components you may have installed. In particular if you are using COM Internet Services (CIS) and RPC over HTTP, you need to close port 80 and 443 inbound.

To disable RPC, see this article: http://support.microsoft.com/default.aspx?scid=kb;en-us;825750

Update Vulnerability Scanners

Scanners for the old RPC vulnerability will not recognize this new vulnerability, and may detect false positives for patched systems. Update to the most recent versions of your scanner.

Links and Further Information

Microsoft Bulletin (Consumer version):

http://www.microsoft.com/security/security_bulletins/ms03-039.asp

Microsoft Bulletin (Technical Details):

http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-039.asp

Details about RPC:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/remote_procedure_calls_using_rpc_over_http.asp

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dndcom/html/cis.asp


Scanners:

Microsoft: http://support.microsoft.com/?kbid=827363

Qualys: http://www.qualys.com/RPCSS

Eeye: http://www.eeye.com/html/Research/Tools/RPCDCOM.html

ISS: http://www.iss.net/support/product_utilities/Xfrpcss.php

Foundstone: http://www.foundstone.com/resources/scanning.htm
Symbolic.it (Italian and English): http://www.symbolic.it/Press/press_rpcheck2.html
Keywords:
0 comment(s)
Diary Archives