[SECURITY-L] CAIS-Alerta: Vulnerabilidades multiplas no servico RPCSS (824146)
Security Team - UNICAMP
security em unicamp.br
Qua Set 10 16:03:15 -03 2003
----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br> -----
From: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Subject: CAIS-Alerta: Vulnerabilidades multiplas no servico RPCSS (824146)
To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br
Cc: Centro de Atendimento a Incidentes de Seguranca <cais em cais.rnp.br>
Date: Wed, 10 Sep 2003 15:34:04 -0300 (BRT)
O CAIS esta' repassando o alerta da Microsoft, Microsoft Security Bulletin
MS03-039: Buffer Overrun In RPCSS Service Could Allow Code Execution
(824146), que trata de tres vulnerabilidades no servico RPCSS do Windows,
que pode permitir a um atacante a execucao de codigo arbitrario com
privilegios do sistema, ou a negacao de servico de RPC.
As falhas resultam de um tratamento incorreto de mensagens na interface
DCOM (Distributed Communication Object Model) dentro do servico RPCSS.
Essas vulnerabilidades permitem que um atacante envie mensagens mal
formadas aos servicos RPCSS.
Lembramos que recentemente os worms MSBlaster.D e Nachi utilizaram uma
vulnerabilidade no servico RPC para se espalhar. Este alerta _nao tem
relacao_ com o alerta MS03-026, que informava sobre a vulnerabilidade
usada por esses worms.
Sistemas afetados:
. Microsoft Windows NT Workstation 4.0
. Microsoft Windows NT 4.0 Server
. Microsoft Windows NT 4.0, Terminal Server Edition
. Microsoft Windows 2000
. Microsoft Windows XP
. Microsoft Windows Server 2003
Correcoes disponiveis:
A correcao consiste na aplicacao do patch recomendado pela Microsoft e
disponivel em:
. Windows NT Workstation
http://www.microsoft.com/downloads/details.aspx?FamilyId=7EABAD74-9CA9-48F4-8DB5-CF8C188879DA&displaylang=en
. Windows NT Server 4.0
http://www.microsoft.com/downloads/details.aspx?FamilyId=71B6135C-F957-4702-B376-2DACCE773DC0&displaylang=en
. Windows NT Server 4.0, Terminal Server Edition
http://www.microsoft.com/downloads/details.aspx?FamilyId=677229F8-FBBF-4FF4-A2E9-506D17BB883F&displaylang=en
. Windows 2000
http://www.microsoft.com/downloads/details.aspx?FamilyId=F4F66D56-E7CE-44C3-8B94-817EA8485DD1&displaylang=en
. Windows XP
http://www.microsoft.com/downloads/details.aspx?FamilyId=5FA055AE-A1BA-4D4A-B424-95D32CFC8CBA&displaylang=en
. Windows XP 64 bit Edition
http://www.microsoft.com/downloads/details.aspx?FamilyId=50E4FB51-4E15-4A34-9DC3-7053EC206D65&displaylang=en
. Windows XP 64 bit Edition Version 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=80AB25B3-E387-441F-9B6D-84106F66059B&displaylang=en
. Windows Server 2003
http://www.microsoft.com/downloads/details.aspx?FamilyId=51184D09-4F7E-4F7B-87A4-C208E9BA4787&displaylang=en
. Windows Server 2003 64 bit Edition
http://www.microsoft.com/downloads/details.aspx?FamilyId=80AB25B3-E387-441F-9B6D-84106F66059B&displaylang=en
Maiores informacoes:
. http://www.microsoft.com/technet/security/bulletin/ms03-039.asp
. http://xforce.iss.net/xforce/alerts/id/152
Identificador do CVE: CAN-2003-0715, CAN-2003-0528, CAN-2003-0605
(http://cve.mitre.org)
O CAIS ja tomou conhecimento da existencia de codigo malicioso que explora
as vulnerabilidades descritas acima.
O CAIS recomenda fortemente aos administradores de plataformas Microsoft
que mantenham seus sistemas e aplicativos sempre atualizados.
Atenciosamente,
################################################################
# CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP #
# #
# cais em cais.rnp.br http://www.cais.rnp.br #
# Tel. 019-37873300 Fax. 019-37873301 #
# Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key #
################################################################
MS03-039 Buffer Overrun In RPCSS Service Could Allow Code Execution
(824146)
Summary
Who should read this bulletin: Users running Microsoft ® Windows ®
Impact of vulnerability: Run code of attacker's choice
Maximum Severity Rating: Critical
Recommendation: System administrators should apply the security patch
immediately
End User Bulletin:
An end user version of this bulletin is available at:
http://www.microsoft.com/security/security_bulletins/ms03-039.asp.
Protect your PC:
Additional information on how you can help protect your PC is available at
the following locations:
* End Users can visit http://www.microsoft.com/protect
* IT Professionals can visit
http://www.microsoft.com/technet/security/tips/pcprotec.asp
Affected Software:
* Microsoft Windows NT Workstation 4.0
* Microsoft Windows NT Server® 4.0
* Microsoft Windows NT Server 4.0, Terminal Server Edition
* Microsoft Windows 2000
* Microsoft Windows XP
* Microsoft Windows Server 2003
Not Affected Software:
* Microsoft Windows Millennium Edition
Technical details
Technical description:
The fix provided by this patch supersedes the one included in Microsoft
Security Bulletin MS03-026.
Remote Procedure Call (RPC) is a protocol used by the Windows operating
system. RPC provides an inter-process communication mechanism that allows
a program running on one computer to seamlessly access services on another
computer. The protocol itself is derived from the Open Software Foundation
(OSF) RPC protocol, but with the addition of some Microsoft specific
extensions.
There are three identified vulnerabilities in the part of RPCSS Service
that deals with RPC messages for DCOM activation? two that could allow
arbitrary code execution and one that could result in a denial of service.
The flaws result from incorrect handling of malformed messages. These
particular vulnerabilities affect the Distributed Component Object Model
(DCOM) interface within the RPCSS Service. This interface handles DCOM
object activation requests that are sent from one machine to another.
An attacker who successfully exploited these vulnerabilities could be able
to run code with Local System privileges on an affected system, or could
cause the RPCSS Service to fail. The attacker could then be able to take
any action on the system, including installing programs, viewing, changing
or deleting data, or creating new accounts with full privileges.
To exploit these vulnerabilities, an attacker could create a program to
send a malformed RPC message to a vulnerable system targeting the RPCSS
Service.
Microsoft has released a tool that can be used to scan a network for the
presence of systems which have not had the MS03-039 patch installed. More
details on this tool are available in Microsoft Knowledge Base article
827363. This tool supersedes the one provided in Microsoft Knowledge Base
article 826369. If the tool provided in Microsoft Knowledge Base Article
826369 is used against a system which has installed the security patch
provided with this bulletin, the superseded tool will incorrectly report
that the system is missing the patch provided in MS03-026. Microsoft
encourages customers to run the latest version of the tool available in
Microsoft Knowledge Base article 827363 to determine if their systems are
patched.
Mitigating factors:
* Firewall best practices and standard default firewall configurations
can help protect networks from remote attacks originating outside of the
enterprise perimeter. Best practices recommend blocking all ports that are
not actually being used. For this reason, most systems attached to the
Internet should have a minimal number of the affected ports exposed.
For more information about the ports used by RPC, visit the following
Microsoft Web site:
http://www.microsoft.com/technet/prodtechnol/windows2000serv/reskit/tcpip/part4/tcpappc.asp
Severity Rating:
Windows NT 4.0 Server Windows NT 4.0, Terminal Server Edition Windows 2000
Windows XP Windows Server 2003
Buffer Overrun Vulnerabilities Critical Critical Critical Critical
Critical
Denial of Service Vulnerability None None Important None None
Aggregate Severity of all Vulnerabilities Critical Critical Critical
Critical Critical
The above assessment is based on the types of systems affected by the
vulnerability, their typical deployment patterns, and the effect that
exploiting the vulnerability would have on them.
Vulnerability identifier:
Buffer Overrun: CAN-2003-0715
Buffer Overrun: CAN-2003-0528
Denial of Service: CAN-2003-0605
Tested Versions:
Microsoft tested Windows Millennium Edition, Windows NT 4.0 Server,
Windows NT 4.0 Terminal Services Edition, Windows 2000, Windows XP and
Windows Server 2003 to assess whether they are affected by this
vulnerability. Previous versions are no longer supported, and may or may
not be affected by these vulnerabilities.
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L