Next message: Duane Nickull: "Re: [Re: CRIME Wiretapping WiFi]"
-----Original Message-----
From: Gregg Shankle [mailto:Gregg.Shankle@private]
Sent: Wednesday, October 15, 2003 7:47 AM
To: boyd_r@private; Bill Thompson; geoneve@private; Mike
Ruffner; Chris Aldrich; David C Yandell; Barbara A Jensen; Michael S
Curtis; Phyllis Michael; Kenneth D Murphy; Steve Payne; Abe Yoakum; Pat
Pope; RAMAKRISHNAN Ranjit; Mary.Dover@private
Cc: John Salle
Subject: Fwd: NYS OCSCIC-Cyber Advisory: Microsoft Windows RPC
DCOMVulnerability
Cyber advisory from our New York partners...
Gregg Shankle, Detective
Oregon State Police Office of Public Safety and Security
end
attached mail follows:
The following advisory is being sent on behalf of William F. Pelgrin.
DATE ISSUED: 10/14/03
NEW YORK STATE OFFICE OF CYBER SECURITY AND CRITICAL INFRASTRUCTURE
COORDINATION CYBER ADVISORY
SUBJECT:
Microsoft Windows RPC DCOM Vulnerability
OVERVIEW:
Microsoft has reported that there is publicly available exploit code and
a tool to take advantage of the Microsoft Windows RPC DCOM vulnerability
addressed in Microsoft Security Bulletin MS03-039. To date, there has
not been widespread use of this code in the wild, nor have they seen any
virus or worm using this exploit.
According to Microsoft, if Microsoft Security Bulletin MS030-039 patch
has been applied, this new exploit code will not compromise the system
but the possibility exists that it may cause a Denial of Service. The
exploit code currently available will provide a remote shell to an
unpatched system.
On October 14, 2003, Carnegie Mellon CERT posted a Vulnerability Note
VU-#547820 (see reference below) that appears to be a buffer overflow
condition which is different from the vulnerabilities mitigated by
Microsoft Security Bulletins MS03-026 and MS03-039. This CERT
Vulnerability Note also makes reference to publicly available exploit
code. There have also been several postings to the BugTraq discussion
list on similar subject matter.
The workaround strategies for both announcements are very similar -
block RPC traffic at the perimeter.
SYSTEMS AFFECTED:
Systems previously identified in Microsoft Security Bulletin MS03-039
include:
Microsoft Windows NT Workstation 4.0
Microsoft Windows NT Server 4.0
Microsoft Windows NT Server 4.0, Terminal Server Edition
Microsoft Windows 2000
Microsoft Windows XP
Microsoft Windows Server 2003
RISK:
Government:
* Large and medium government entities: Low
* Small government entities: Medium
Businesses:
* Large and medium businesses: Low
* Small businesses: Medium
Home users:
* High if not using a personal firewall
RECOMMENDATIONS:
On September 10, 2003, CSCIC posted an advisory (see references below)
regarding Microsoft Security Bulletin MS03-039 patch for new
vulnerabilities discovered in Microsoft RPC. Continue to follow the
same recommendations and mitigating strategies.
1) Ensure that UDP ports 135, 137, 138, 445 and TCP ports 135, 139, 445
and 593 are blocked both inbound and outbound at your perimeter
firewall.
2) Follow the recommendations outlined in the September 10, 2003 CSCIC
advisory.
3) Advise home users to use a personal firewall that block the above
ports.
4) See the CERT advisory referenced below for cautious consideration of
additional workarounds which may be effective in your environment.
REFERENCES:
CSCIC Advisory:
http://www.cscic.state.ny.us/advisories/sep03/9_10.htm
Microsoft:
http://www.microsoft.com/technet/security/bulletin/ms03-039.asp
CERT Coordination Center:
http://www.kb.cert.org/vuls/id/547820
BugTraq:
http://www.securityfocus.com/archive/1/340937/2003-10-04/2003-10-10/0
http://www.securityfocus.com/archive/1/341034/2003-10-11/2003-10-17/0
_____________________________
William F. Pelgrin
Director
NYS Cyber Security and Critical Infrastructure Coordination
30 South Pearl Street
Albany, New York 12207
518-473-4383 (Phone)
518-402-3799 (Fax)
william.pelgrin@private
This archive was generated by hypermail 2b30
: Wed Oct 15 2003 - 16:23:53 PDT