[SECURITY-L] [0_46013_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com: Microsoft Security Bulletin MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953)]

Silvana Mieko Misuta mieko em ccuec.unicamp.br
Qui Mar 27 09:04:28 -03 2003 

----- Forwarded message from Microsoft <0_46013_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com> -----

From: "Microsoft" <0_46013_AEE7C282-5BFD-4E84-98BC-79A14F27B03B_BR em Newsletters.Microsoft.com>
Subject: Microsoft Security Bulletin MS03-010: Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks (331953)
To: <mieko em ccuec.unicamp.br>
Date: Wed, 26 Mar 2003 12:45:15 -0800
X-Mailer: Microsoft CDO for Windows 2000

-----BEGIN PGP SIGNED MESSAGE-----

- ----------------------------------------------------------------------
Title:      Flaw in RPC Endpoint Mapper Could Allow Denial of 
            Service Attacks (331953)
Date:       26 March 2003
Software:   Microsoft(r) Windows(r) NT 4.0, Windows 2000, or 
            Windows XP
Impact:     denial of service
Max Risk:   Important
Bulletin:   MS03-010

Microsoft encourages customers to review the Security Bulletins 
at: 

http://www.microsoft.com/technet/security/bulletin/MS03-010.asp
http://www.microsoft.com/security/security_bulletins/ms03-010.asp
- ----------------------------------------------------------------------

Issue:
======
Remote Procedure Call (RPC) is a protocol used by the Windows 
operating system. RPC provides an inter-process communication 
mechanism that allows a program running on one computer to 
seamlessly execute code on a remote system. The protocol itself 
is derived from the OSF (Open Software Foundation) RPC protocol, 
but with the addition of some Microsoft specific extensions. 

There is a vulnerability in the part of RPC that deals with 
message exchange over TCP/IP. The failure results because of 
incorrect handling of malformed messages. This particular 
vulnerabilty affects the RPC Endpoint Mapper process, which 
listens on TCP/IP port 135. The RPC endpoint mapper allows RPC 
clients to determine the port number currently assigned to a 
particular RPC service. 

To exploit this vulnerability, an attacker would need to 
establish a TCP/IP connection to the Endpoint Mapper process on 
a remote machine. Once the connection was established, the 
attacker would begin the RPC connection negotiation before 
transmitting a malformed message. At this point, the process on 
the remote machine would fail. The RPC Endpoint Mapper process 
is responsible for maintaining the connection information for 
all of the processes on that machine using RPC. Because the 
Endpoint Mapper runs within the RPC service itself, exploiting 
this vulnerability would cause the RPC service to fail, with the 
attendant loss of any RPC-based services the server offers, as 
well as potential loss of some COM functions. 

Microsoft has provided patches with this bulletin to correct 
this vulnerability for Windows 2000 and Windows XP. Although 
Windows NT 4.0 is affected by this vulnerability, Microsoft is 
unable to provide a patch for this vulnerability for Windows NT 
4.0. The architectural limitations of Windows NT 4.0 do not 
support the changes that would be required to remove this 
vulnerability. Windows NT 4.0 users are strongly encouraged to 
employ the workaround discussed in the FAQ in the bulletin, 
which is to protect the NT 4.0 system with a firewall that 
blocks Port 135.

Mitigating Factors:
====================

- - To exploit this vulnerability, the attacker would require the 
  ability to connect to the Endpoint Mapper running on the target 
  machine. For intranet environments, the Endpoint Mapper would 
  normally be accessible, but for Internet connected machines, the 
  port used by the Endpoint Mapper would normally be blocked by a 
  firewall. In the case where this port is not blocked, or in an 
  intranet configuration, the attacker would not require any 
  additional privileges. 
- - Best practices recommend blocking all TCP/IP ports that are not 
  actually being used. For this reason, most machines attached to 
  the Internet should have port 135 blocked. RPC over TCP is not 
  intended to be used in hostile environments such as the internet. 
- - More robust protocols such as RPC over HTTP are provided for 
  hostile environments. To learn more about securing RPC for 
  client and server please refer to 
  http://msdn.microsoft.com/library/default.asp?url=/library/en-
  us/rpc/rpc/writing_a_secure_rpc_client_or_server.asp. To learn 
  more about the ports used by RPC, please refer to 
  http://www.microsoft.com/technet/prodtechnol/windows2000serv/res
  kit/tcpip/part4/tcpappc.asp 
- - This vulnerability only permits a denial of service attack and 
  does not provide an attacker with the ability to

Risk Rating:
============
Important

Patch Availability:
===================
A patch is available to fix this vulnerability. Please read the 
Security Bulletins at

http://www.microsoft.com/technet/security/bulletin/ms03-010.asp
http://www.microsoft.com/security/security_bulletins/ms03-10.asp

for information on obtaining this patch.

Acknowledgment:
===============
 - Microsoft thanks jussi jaakonaho for reporting this issue to 
   us and working with us to protect customers

- ----------------------------------------------------------------

THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS 
PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT 
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING 
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 
PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS 
SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, 
INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR 
SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS 
HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME 
STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR 
CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION 
MAY NOT APPLY.

-----BEGIN PGP SIGNATURE-----
Version: PGP 7.1

iQEVAwUBPoHxjY0ZSRQxA/UrAQFF0ggAnL7ZKOFPi/iHRGvKYnkMcvWHkbMOVXIt
i54N1mlJT+xgdABVPPRSn5WlBcJgLoEhTNrvS/FNCPILDqbtLbn+STmESFthYCOd
iuQEOX+/CnIer/w/joxztv43M02lAKIA8qdJyAfFGYg2kNuFAjYuxvjK7+GCoIrE
MPISW163Xb/MN/Xm2AqmYuxlzovvCzyVJ2kWSbh7CamKgrgq8GaUfh7LeqzIlPP8
5pDTZbXYZhxjs+mSH7xCE+U0WkZhsWqnR1OOTwPo/OOBIdYMcLqXdsm5QAqqaFF5
NOBb1k/OFFMlKZJMs6lCaZ6x2FGiAf1HBYEanYhypGdJQC/zoWM6MA==
=f12Q
-----END PGP SIGNATURE-----


*******************************************************************

You have received this e-mail bulletin because of your subscription to the Microsoft Product Security Notification Service.  For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp.
 
To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp.
 
To unsubscribe from the Microsoft Security Notification Service, please visit the Microsoft Profile Center at http://register.microsoft.com/regsys/pic.asp 
 
If you do not wish to use Microsoft Passport, you can unsubscribe from the Microsoft Security Notification Service via email as described below:
Reply to this message with the word UNSUBSCRIBE in the Subject line.
 
For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security.

----- End forwarded message -----

Mais detalhes sobre a lista de discussão SECURITY-L