US-CERT has released a Technical Cyber Security Alert and Vulnerability Notes that address the multiple RPC DCOM vulnerabilities.
Microsoft Windows contains multiple vulnerabilities in the RPC DCOM service that could allow an attacker to execute arbitrary code on the system, create a denial of service (DoS) condition or redirect communications ports.
The first vulnerability (CAN-2003-0813) exists in the RPC runtime library. A race condition exists within the DCOM interface, which an attacker could exploit by submitting multiple parallel requests and immediately closing the connection. This causes arbitrary information to be written to memory and executed. This vulnerability is similar to the issue detailed in IntelliShield Alert 6795.
The second vulnerability (CAN-2004-0116) is located within the RPCSS Service. An attacker could exploit the vulnerability by submitting a
malicious request to the RPC service, which could result in the overrunning of the allocated buffer. This overflow is contained by RPC, but the memory is not deallocated. By repeating this request an attacker can rapidly consume system resources, resulting in a DoS condition.
The third vulnerability (CAN-2003-0807) is located within the COM Internet Services (CIS). If CIS is enabled, an attacker can exploit the vulnerability by creating a malicious response to forwarded messages that will cause CIS to stop responding to future messages, resulting in a DoS condition.
The fourth vulnerability (CAN-2004-0124) is due to the way that object identities are created on affected systems. The vulnerability could allow an attacker to enable applications to
open network communications through unexpected ports.
Updated software is available.
Systems running the following Windows products are vulnerable:
Windows NT Workstation 4.0 SP6a Windows NT Server SP6a Windows NT Terminal Services Edition SP6 Windows 2000 SP2, SP3, SP4 Windows XP SP1 Windows XP 64-Bit Edition Windows XP 64-Bit Edition 2003 Windows Server 2003 Windows Server 2003 64-Bit Edition Windows 98, 98SE Windows Millennium Edition
Disabling the RPC DCOM service can render some machines useless. The method in which to remedy these issues is to apply the appropriate patch and block all RPC communications ports from outside access. The hacker community will likely take great interest in this vulnerability and work quickly to develop an exploit.
The CIS vulnerability can be mitigated by ensuring that RPC over HTTP has been disabled. By default, CIS is disabled, but it could be inadvertently enabled if web applications utilizing this feature have been developed and deployed. It is also important to note that IIS 6 running in native mode is not susceptible to this vulnerability; however it is vulnerable when IIS 6 is running in IIS 5 compatibility mode.
These vulnerabilities are
similar to the ones exploited by the Lovsan worm, as detailed in IntelliShield Alert 6477. Organizations that experienced problems as a result of this worm and have not taken steps to improve their security can expect similar issues if a worm is developed exploiting these new vulnerabilities.
Hibernating laptops provided a vector for the Lovsan worm to penetrate networks and bypass virus walls, as did home systems connecting to enterprise networks via VPN. Administrators are encouraged to monitor these attack vectors in the event that a worm exploiting these vulnerabilities surfaces.
Administrators are advised to apply the updates as soon as it is convenient, and immediately on machines that have outward-facing interfaces.
Microsoft has released a security bulletin at the following link: MS04-012
US-CERT has released a Technical Cyber Security Alert at the following link: TA04-104A
A remote attacker could execute arbitrary code, create a denial of service condition or redirect communications ports.
Sources indicate that the remote code execution vulnerability (CAN-2003-0813) is difficult to perform by itself, but by utilizing the memory allocation vulnerability (CAN-2004-0116) an attacker can locate memory space in which to inject arbitrary code without overwriting multiple system objects.
The first vulnerability lies within the RPC DCOM structure, in the activation class functions within the RPCSS module. By initiating simultaneous parallel requests and then immediately terminating the connections, an attacker can cause a small amount of heap corruption within the svchost RPC process.
The second vulnerability lies within the RPCSS service host. An attacker can create a large request for the creation of an activation class
object. The request creates an exception, which is handled by default exception handlers that fail to deallocate memory space. By repeating this request several times, an attacker can quickly consume large amounts of system resources, resulting in system instability and a DoS condition.
The third vulnerability is located in the CIS of IIS. On systems running IIS 5, or running IIS 6 operating in IIS 5 compatibility mode, an attacker can create a response to a RPC request that causes CIS to stop responding to future forwarded requests, resulting in a DoS condition until the affected IIS service can be restarted.
The fourth vulnerability is due to the way that object identities are created. By exploiting the weak object identifier creation
scheme, an attacker can cause applications to open arbitrary network communication ports. This can be done to applications that were not designed for network communications. This does not allow the attacker to gain control of the affected machine, but by opening communications on arbitrary ports, an attacker may be able to bypass firewall restrictions to exploit other known vulnerabilities.
Administrators are advised to apply the appropriate patches.
Administrators are advised to block external access to RPC DCOM ports 135, 137/udp, 138/udp, 445, 139/tcp, 593/tcp.
If possible, administrators are advised to disable CIS, as detailed in Microsoft Knowledge Base Article KB825819.
Administrators are advised to disable forwarding to DCOM, as detailed in Microsoft Knowledge Base Article KB826382.
Microsoft has released updates at the following links:
Version 1, April 13, 2004, 7:15 PM: Microsoft Windows contains multiple vulnerabilities in the RPC DCOM service that could allow a remote attacker to execute arbitrary code, create a denial of service condition, or redirect communications ports. Patches are available.
The security vulnerability applies to the following combinations of products.
Advanced Server Base, SP1, SP2, SP3, SP4 | Datacenter Server Base, SP1, SP2, SP3, SP4 | Professional Base, SP1, SP2, SP3, SP4 | Server Base, SP1, SP2, SP3, SP4
Original Release Base, SP1 | Second Edition Base | j Base
Original Release Base
Windows NT Server
4.0 Base, SP1, SP2, SP3, SP4, SP5, SP6, SP6a
Windows NT Server Enterprise Edition
Original Release Base | 4.0 Base, SP1, SP2, SP3, SP4, SP5, SP6, SP6a
Windows NT Terminal Server
Original Release Base | 4.0 Base, SP1, SP2, SP3, SP4, SP5, SP6, SP6a
Windows NT Workstation
Original Release Base | 4.0 Base, SP1, SP2, SP3, SP3, SP4, SP5, SP6, SP6a
Windows Server 2003
Datacenter Edition Base | Datacenter Edition, 64-bit (Itanium) Base | Enterprise Edition Base | Enterprise Edition, 64-bit (Itanium) Base | Standard Edition Base | Web Edition Base
Home Edition Base, SP1 | Professional Edition Base, SP1 | Professional Edition, 64-bit (Itanium) Base, 2003 (itanium 2), SP1
Alerts and bulletins on the Cisco Security Intelligence Operations Portal are highlighted by analysts in the
Cisco Threat Operations Center and represent a subset of the comprehensive content that is available through Cisco Security IntelliShield Alert Manager Service.
This customizable threat and vulnerability alert service provides security staff with access to timely, accurate, and credible information about threats and vulnerabilities that may affect their environment.
The urgency and severity ratings of this alert are not tailored to individual users; users may value alerts differently based upon their network configurations and circumstances. THE ALERT, AND INFORMATION CONTAINED THEREIN, ARE PROVIDED ON AN "AS IS" BASIS AND DO NOT IMPLY ANY KIND OF GUARANTEE OR WARRANTY, INCLUDING THE WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR USE. YOUR USE OF THE ALERT, AND INFORMATION CONTAINED THEREIN, OR MATERIALS LINKED FROM THE ALERT, IS AT YOUR OWN RISK. INFORMATION IN THIS ALERT AND ANY RELATED COMMUNICATIONS IS BASED ON OUR KNOWLEDGE AT THE TIME OF PUBLICATION AND IS SUBJECT TO CHANGE WITHOUT NOTICE. CISCO RESERVES THE RIGHT TO CHANGE OR UPDATE ALERTS AT ANY TIME.