CRIME FW: NYS OCSCIC-Cyber Advisory: Microsoft Windows RPC DCOMVulnerability

From: George Heuston (geoneve@private)
Date: Wed Oct 15 2003 - 15:45:26 PDT

  • Next message: Duane Nickull: "Re: [Re: CRIME Wiretapping WiFi]"

     
    
     
    
    -----Original Message-----
    From: Gregg Shankle [mailto:Gregg.Shankle@private] 
    Sent: Wednesday, October 15, 2003 7:47 AM
    To: boyd_r@private; Bill Thompson; geoneve@private; Mike
    Ruffner; Chris Aldrich; David C Yandell; Barbara A Jensen; Michael S
    Curtis; Phyllis Michael; Kenneth D Murphy; Steve Payne; Abe Yoakum; Pat
    Pope; RAMAKRISHNAN Ranjit; Mary.Dover@private
    Cc: John Salle
    Subject: Fwd: NYS OCSCIC-Cyber Advisory: Microsoft Windows RPC
    DCOMVulnerability
    
     
    
    Cyber advisory from our New York partners...
    
     
    
    Gregg Shankle, Detective
    
    Oregon State Police Office of Public Safety and Security
    
     
    
    end
    
    
    
    
    

    attached mail follows:


    The following advisory is being sent on behalf of William F. Pelgrin. DATE ISSUED: 10/14/03 NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE COORDINATION CYBER ADVISORY SUBJECT: Microsoft Windows RPC DCOM Vulnerability OVERVIEW: Microsoft has reported that there is publicly available exploit code and a tool to take advantage of the Microsoft Windows RPC DCOM vulnerability addressed in Microsoft Security Bulletin MS03-039. To date, there has not been widespread use of this code in the wild, nor have they seen any virus or worm using this exploit. According to Microsoft, if Microsoft Security Bulletin MS030-039 patch has been applied, this new exploit code will not compromise the system but the possibility exists that it may cause a Denial of Service. The exploit code currently available will provide a remote shell to an unpatched system. On October 14, 2003, Carnegie Mellon CERT posted a Vulnerability Note VU-#547820 (see reference below) that appears to be a buffer overflow condition which is different from the vulnerabilities mitigated by Microsoft Security Bulletins MS03-026 and MS03-039. This CERT Vulnerability Note also makes reference to publicly available exploit code. There have also been several postings to the BugTraq discussion list on similar subject matter. The workaround strategies for both announcements are very similar - block RPC traffic at the perimeter. SYSTEMS AFFECTED: Systems previously identified in Microsoft Security Bulletin MS03-039 include: Microsoft Windows NT Workstation 4.0 Microsoft Windows NT Server 4.0 Microsoft Windows NT Server 4.0, Terminal Server Edition Microsoft Windows 2000 Microsoft Windows XP Microsoft Windows Server 2003 RISK: Government: * Large and medium government entities: Low * Small government entities: Medium Businesses: * Large and medium businesses: Low * Small businesses: Medium Home users: * High if not using a personal firewall RECOMMENDATIONS: On September 10, 2003, CSCIC posted an advisory (see references below) regarding Microsoft Security Bulletin MS03-039 patch for new vulnerabilities discovered in Microsoft RPC. Continue to follow the same recommendations and mitigating strategies. 1) Ensure that UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445 and 593 are blocked both inbound and outbound at your perimeter firewall. 2) Follow the recommendations outlined in the September 10, 2003 CSCIC advisory. 3) Advise home users to use a personal firewall that block the above ports. 4) See the CERT advisory referenced below for cautious consideration of additional workarounds which may be effective in your environment. REFERENCES: CSCIC Advisory: http://www.cscic.state.ny.us/advisories/sep03/9_10.htm Microsoft: http://www.microsoft.com/technet/security/bulletin/ms03-039.asp CERT Coordination Center: http://www.kb.cert.org/vuls/id/547820 BugTraq: http://www.securityfocus.com/archive/1/340937/2003-10-04/2003-10-10/0 http://www.securityfocus.com/archive/1/341034/2003-10-11/2003-10-17/0 _____________________________ William F. Pelgrin Director NYS Cyber Security and Critical Infrastructure Coordination 30 South Pearl Street Albany, New York 12207 518-473-4383 (Phone) 518-402-3799 (Fax) william.pelgrin@private



    This archive was generated by hypermail 2b30 : Wed Oct 15 2003 - 16:23:53 PDT