From dane@fnal.gov Thu Aug 21 12:41:51 2003 Date: Fri, 18 Jul 2003 14:05:00 -0500 (CDT) From: Dane D. Skow To: fidler@fnal.gov, andylego@fnal.gov, adamo@fnal.gov, cisko@fnal.gov, urish@fnal.gov, forni@fnal.gov, andree@fnal.gov Cc: computer-security@fnal.gov Subject: Microsoft Buffer Overrun In RPC Interface Declared Critical Vulnerability On expert advice, I am declaring this a critical vulnerability for the machines with NetBIOS blocks. Please apply the patch as soon as you safely can do so (see comment about local testing and confer with your peers) and reply to computer-security when you have done so. Patches must be applied by noon Friday July 25 in order to maintain offsite connectivity. Dane From earlier mail from Al Lilianstrom: Patches are available locally. I have not tested this patch in any way on any OS. Please read this message as well as the bulletin referenced in the message as there is a specific service pack level required to apply the patch. Be sure to test in your environment before rolling out. Look for files starting with MS03-026 Patches are at \\pckits\Fermi-Rollup\nt \\pckits\Fermi-Rollup\w2k \\pckits\Fermi-Rollup\w2k3 \\pckits\Fermi-Rollup\w2k3\ia64 \\pckits\Fermi-Rollup\xp \\pckits\Fermi-Rollup\xp\ia64 \\pseekits\Fermi-Rollup\nt \\pseekits\Fermi-Rollup\w2k \\pseekits\Fermi-Rollup\w2k3 \\pseekits\Fermi-Rollup\w2k3\ia64 \\pseekits\Fermi-Rollup\xp \\pseekits\Fermi-Rollup\xp\ia64 http://pseekits.fnal.gov/fermi-rollup/nt/ http://pseekits.fnal.gov/fermi-rollup/w2k/ http://pseekits.fnal.gov/fermi-rollup/w2k3/ http://pseekits.fnal.gov/fermi-rollup/w2k3/ia64/ http://pseekits.fnal.gov/fermi-rollup/xp/ http://pseekits.fnal.gov/fermi-rollup/xp/ia64/ al -----BEGIN PGP SIGNED MESSAGE----- - - --------------------------------------------------------------- Title: Buffer Overrun In RPC Interface Could Allow Code Execution (823980) Date: 16 July 2003 Software: Microsoft(r) Windows (r) NT 4.0 Microsoft Windows NT 4.0 Terminal Services Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 Impact: Run code of attacker's choice Max Risk: Critical Bulletin: MS03-026 Microsoft encourages customers to review the Security Bulletins at: http://www.microsoft.com/technet/security/bulletin/MS03-026.asp http://www.microsoft.com/security/security_bulletins/MS03-026.asp - - --------------------------------------------------------------- Issue: ====== Remote Procedure Call (RPC) is a protocol used by the Windows operating system. RPC provides an inter-process communication mechanism that allows a program running on one computer to seamlessly execute code on a remote system. The protocol itself is derived from the OSF (Open Software Foundation) RPC protocol, but with the addition of some Microsoft specific extensions. There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests sent by client machines (such as Universal Naming Convention (UNC) paths) to the server. To exploit this vulnerability, an attacker would need to send a specially formed request to the remote computer on port 135. Mitigating factors: ==================== - To exploit this vulnerability, the attacker would require the ability to send a specially crafted request to port 135 on the remote machine. For intranet environments, this port would normally be accessible, but for Internet connected machines, the port 135 would normally be blocked by a firewall. In the case where this port is not blocked, or in an intranet configuration, the attacker would not require any additional privileges. - Best practices recommend blocking all TCP/IP ports that are not actually being used. For this reason, most machines attached to the Internet should have port 135 blocked. RPC over TCP is not intended to be used in hostile environments such as the internet. More robust protocols such as RPC over HTTP are provided for hostile environments. Risk Rating: ============ Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletins at http://www.microsoft.com/technet/security/bulletin/ms03-026.asp http://www.microsoft.com/security/security_bulletins/ms03-026.asp for information on obtaining this patch. - - --------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.