|
| |
|
Security Intelligence Operations
Microsoft Windows Message Queuing Service RPC Request Handling Vulnerability |
| |
| Vulnerability Alert | Powered by  |
|
|
| Threat Type: | Unintended Weakness: Arbitrary Code Execution |
|
| IntelliShield ID: | 16797 |
| Version: | 2 |
| First Published: | October 14, 2008 02:40 PM EDT |
| Last Published: | October 16, 2008 02:35 PM EDT |
| Vector: | Network |
| Authentication: | None |
| Exploit: | Unproven |
| Port: |
Not Available
|
| CVE: | CVE-2008-3479 |
| BugTraq ID: | 31637 |
| |
| Urgency: |
Weakness
|  |
| Credibility: |
Confirmed
|  |
| Severity: |
Moderate Damage
|  |
| CVSS Base: | 10.0 |
CVSS Calculator
CVSS Version 2
|
| CVSS Temporal: | 7.4 |
|
|
| |
| Version Summary: | Additional technical information is available to describe the Microsoft Windows Message Queuing Service RPC request handling vulnerability. |
| |
| |
| Description |
|
Microsoft Windows 2000 SP4 and prior contain a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges.
This vulnerability exists due to improper handling of malformed remote procedure call (RPC) requests by the Message Queuing Service (MSMQ). An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious request to the affected system. If successful, the attacker could trigger the execution of arbitrary code with the privileges of the user.
Microsoft has confirmed this vulnerability in a security bulletin and released software updates. |
| |
| Warning Indicators |
|
Microsoft Windows 2000 SP4 and prior are affected. |
| |
| IntelliShield Analysis |
|
To exploit the vulnerability, the attacker requires network access to an affected system. Systems running host-based firewall applications may be protected from exploitation. Attackers also likely require access to internal network segments in order to reach affected systems through perimeter network filtering devices.
Only systems with the affected component are vulnerable. The MSMQ component is not installed by default, making widespread exploitation of the vulnerability less likely.
The Cisco Applied Intelligence team has created an Applied Mitigation Bulletin to address vulnerabilities that Microsoft disclosed in the October 2008 security bulletin release. This Cisco bulletin, which assists administrators in identifying or mitigating these vulnerabilities using Cisco devices, is available at the following link: Cisco Applied Mitigation Bulletin: Microsoft Security Bulletin for October 2008
The update available from Microsoft corrects the vulnerability by correcting the way that RPC requests are processed. |
| |
| Vendor Announcements |
|
Microsoft has released a security bulletin at the following link: MS08-065 |
|
| |
| Impact |
|
An unauthenticated, remote attacker could exploit the vulnerability to execute arbitrary code with the privileges of the affected service, which typically runs with SYSTEM privileges. An exploit could allow the attacker to completely compromise an affected system. |
| |
 Technical Information |
|
The vulnerability is due to improper handling of malformed RPC requests by Microsoft Message Queuing service (MSMQ). The mqsvc.exe service improperly processes RPC requests, potentially causing the service to perform invalid memory operations that could result in an overflow condition.
An unauthenticated, remote attacker could exploit this vulnerability by sending a malicious RPC request to the affected system that causes the system to copy an unchecked string to memory, possibly resulting in a heap-based buffer overflow condition. The attacker could leverage the memory corruption via a separate request to obtain portions of memory or execute arbitrary code with SYSTEM privileges. |
| |
| Safeguards |
|
Administrators are advised to apply the appropriate updates.
Administrators are advised to restrict network access to affected systems.
Administrators may consider disabling MSMQ. |
| |
| Patches/Software |
|
Microsoft has released updated software at the following links: Windows 2000 SP4 |
|
| Signatures |
| |
|
|
| |
| Alert History |
| |
Version 1, October 14, 2008, 2:40 PM: Microsoft Windows 2000 contains a vulnerability that could allow an unauthenticated, remote attacker to execute arbitrary code with elevated privileges. Updates are available. |
|
Product Sets |
| |
The security vulnerability applies to the following combinations of products.
|
|
LEGAL DISCLAIMER
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME. |
|
|
| |
