[SECURITY-L] [cais em cais.rnp.br: CAIS-Alerta: Vulnerabilidade no Microsoft RPC Endpoint Mapper (331953)]

Qua Mar 26 16:58:08 -03 2003

----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----

From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidade no Microsoft RPC Endpoint Mapper (331953)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Date: Wed, 26 Mar 2003 16:53:10 -0300 (BRT)

Prezados,

O CAIS está repassando o alerta divulgado pela Microsoft, Microsoft
Security Bulletin MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial
of Service Attacks (331953), que trata de uma vulnerabilidade existente na
implementacao do RPC Endpoint Mapper que pode permitir a um atacante
remoto realizar um ataque de negacao de servico (DoS).

Sistemas Afetados:

        . Microsoft Windows NT 4
	. Microsoft Windows 2000
	. Microsoft Windows XP

Correções disponíveis:

A correção consiste na aplicação do patch recomendado pela Microsoft e
disponíveis nas URLs listadas abaixo.

	. Microsoft Windows 2000
	  o All except Japanese NEC
http://microsoft.com/downloads/details.aspx?FamilyId=BD55EB38-A5DE-4810-90F7-097C5B4B9919&displaylang=en

	  o Japanese NEC
http://microsoft.com/downloads/details.aspx?FamilyId=3F7DC0DA-A684-43A8-B2E3-1EEDEEDC822C&displaylang=ja

	. Windows XP
          o 32-bit Edition
http://microsoft.com/downloads/details.aspx?FamilyId=94213569-3258-4439-9AE7-5D86813B4D9E&displaylang=en

	  o 64-bit edition
http://microsoft.com/downloads/details.aspx?FamilyId=E3FB88CF-FA48-4426-A4F8-D18D8D4D2295&displaylang=en

Maiores informações:

http://www.microsoft.com/technet/security/bulletin/ms03-010.asp

Identificador do CVE: CAN-2002-1561 (http://cve.mitre.org)

O CAIS recomenda aos administradores de plataformas Microsoft que
mantenham seus sistemas e aplicativos sempre atualizados.

Atenciosamente,

################################################################
#   CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP      #
#                                                              #
# cais em cais.rnp.br     http://www.cais.rnp.br                  #
# Tel. 019-37873300    Fax. 019-37873301                       #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################

----------------------------------------------------------------------
Title:      Flaw in RPC Endpoint Mapper Could Allow Denial of
            Service Attacks (331953)
Date:       26 March 2003
Software:   Microsoft(r) Windows(r) NT 4.0, Windows 2000, or
            Windows XP
Impact:     denial of service
Max Risk:   Important
Bulletin:   MS03-010

Microsoft encourages customers to review the Security Bulletins
at:

http://www.microsoft.com/technet/security/bulletin/MS03-010.asp
http://www.microsoft.com/security/security_bulletins/ms03-010.asp
----------------------------------------------------------------------

Issue:
======
Remote Procedure Call (RPC) is a protocol used by the Windows
operating system. RPC provides an inter-process communication
mechanism that allows a program running on one computer to
seamlessly execute code on a remote system. The protocol itself
is derived from the OSF (Open Software Foundation) RPC protocol,
but with the addition of some Microsoft specific extensions.

There is a vulnerability in the part of RPC that deals with
message exchange over TCP/IP. The failure results because of
incorrect handling of malformed messages. This particular
vulnerabilty affects the RPC Endpoint Mapper process, which
listens on TCP/IP port 135. The RPC endpoint mapper allows RPC
clients to determine the port number currently assigned to a
particular RPC service.

To exploit this vulnerability, an attacker would need to
establish a TCP/IP connection to the Endpoint Mapper process on
a remote machine. Once the connection was established, the
attacker would begin the RPC connection negotiation before
transmitting a malformed message. At this point, the process on
the remote machine would fail. The RPC Endpoint Mapper process
is responsible for maintaining the connection information for
all of the processes on that machine using RPC. Because the
Endpoint Mapper runs within the RPC service itself, exploiting
this vulnerability would cause the RPC service to fail, with the
attendant loss of any RPC-based services the server offers, as
well as potential loss of some COM functions.

Microsoft has provided patches with this bulletin to correct
this vulnerability for Windows 2000 and Windows XP. Although
Windows NT 4.0 is affected by this vulnerability, Microsoft is
unable to provide a patch for this vulnerability for Windows NT
4.0. The architectural limitations of Windows NT 4.0 do not
support the changes that would be required to remove this
vulnerability. Windows NT 4.0 users are strongly encouraged to
employ the workaround discussed in the FAQ in the bulletin,
which is to protect the NT 4.0 system with a firewall that
blocks Port 135.

Mitigating Factors:
====================

- To exploit this vulnerability, the attacker would require the
  ability to connect to the Endpoint Mapper running on the target
  machine. For intranet environments, the Endpoint Mapper would
  normally be accessible, but for Internet connected machines, the
  port used by the Endpoint Mapper would normally be blocked by a
  firewall. In the case where this port is not blocked, or in an
  intranet configuration, the attacker would not require any
  additional privileges.
- Best practices recommend blocking all TCP/IP ports that are not
  actually being used. For this reason, most machines attached to
  the Internet should have port 135 blocked. RPC over TCP is not
  intended to be used in hostile environments such as the internet.
- More robust protocols such as RPC over HTTP are provided for
  hostile environments. To learn more about securing RPC for
  client and server please refer to
  http://msdn.microsoft.com/library/default.asp?url=/library/en-
  us/rpc/rpc/writing_a_secure_rpc_client_or_server.asp. To learn
  more about the ports used by RPC, please refer to
  http://www.microsoft.com/technet/prodtechnol/windows2000serv/res
  kit/tcpip/part4/tcpappc.asp
- This vulnerability only permits a denial of service attack and
  does not provide an attacker with the ability to

Risk Rating:
============
Important

Patch Availability:
===================
A patch is available to fix this vulnerability. Please read the
Security Bulletins at

http://www.microsoft.com/technet/security/bulletin/ms03-010.asp
http://www.microsoft.com/security/security_bulletins/ms03-10.asp

for information on obtaining this patch.

Acknowledgment:
===============
 - Microsoft thanks jussi jaakonaho for reporting this issue to
   us and working with us to protect customers

----------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT,
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION
MAY NOT APPLY.

*******************************************************************

----- End forwarded message -----