Original release date: July 17, 2003<br>
Last revised: <a href="#revisions">Fri Aug 8 13:11 EDT 2003</a><br>
Source: CERT/CC<br>
<p>
A complete revision history is at the end of this file.
</p>
<br>
<h3>Systems Affected</h3>
<ul>
<li>Microsoft Windows NT 4.0</li>
<li>Microsoft Windows NT 4.0 Terminal Services Edition</li>
<li>Microsoft Windows 2000</li>
<li>Microsoft Windows XP</li>
<li>Microsoft Windows Server 2003</li>
</ul>
<br>
<a name="overview"></a>
<h2>Overview</h2>
<p>
A buffer overflow vulnerability exists in Microsoft's Remote Procedure Call (RPC) implementation.
A remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of
service.
</p>
<br>
<a name="description"></a>
<h2>I. Description</h2>
There is a buffer overflow in Microsoft's RPC
implementation. According to Microsoft Security Bulletin <a
href="http://microsoft.com/technet/security/bulletin/MS03-026.asp">MS03-026</a>,
"There is a vulnerability in the part of RPC that deals with message
exchange over TCP/IP. The failure results because of incorrect
handling of malformed messages. This particular vulnerability affects
a Distributed Component Object Model (DCOM) interface with RPC, which
listens on TCP/IP port 135. This interface handles DCOM object
activation requests that are sent by client machines (such as
Universal Naming Convention (UNC) paths) to the server."
<p>The CERT/CC is tracking this issue as <A
HREF="http://www.kb.cert.org/vuls/id/568148">VU#568148</A>. This
reference number corresponds to <A
HREF="http://www.cve.mitre.org/">CVE</A> candidate <A
HREF="http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0352">CAN-2003-0352</A>.</p>
<a name="impact"></a>
<h2>II. Impact</h2>
A remote attacker could exploit this vulnerability to execute
arbitrary code with Local System privileges or to cause a denial of
service.
<br>
<a name="solution"></a>
<h2>III. Solution</h2>
<h4>Apply a patch from your vendor</h4>
<p>
Apply the appropriate patch as specified by >Microsoft Security Bulletin <a
href="http://microsoft.com/technet/security/bulletin/MS03-026.asp"
>MS03-026</a>.
</p>
<p>
<a href="#vendors">Appendix A</a> contains additional information
provided by vendors for this advisory. As vendors report new
information to the CERT/CC, we will update this section and note
the changes in our revision history. If a particular vendor is
not listed below or in the individual <a
href="http://www.kb.cert.org/vuls/id/568148#systems">vulnerability
notes</a>, we have not received their comments. Please contact
your vendor directly.
</p>
<a name="solution.restrict"></a>
<h4>Restrict access</h4>
<p>
You may wish to block access from outside your network perimeter,
specifically by blocking access to TCP & UDP ports 135, 139, and
445. This will limit your exposure to attacks. However, blocking at
the network perimeter would still allow attackers within the perimeter
of your network to exploit the vulnerability. It is important to
understand your network's configuration and service requirements
before deciding what changes are appropriate.
</p>
<a name="solution.disable"></a>
<h4>Disable DCOM</h4>
<p>
Depending on site requirements, you may wish to disable DCOM as
described in <a href="http://microsoft.com/technet/security/bulletin/MS03-026.asp">MS03-026</a>. Disabling DCOM will help protect against this
vulnerability, but may also cause undesirable side effects. Additional
details on disabling DCOM and possible side effects are available in
Microsoft Knowledge Base Article <a href="http://support.microsoft.com/default.aspx?scid=kb;en-us;825750">825750</a>.
</p>
<a name="vendors"></a>
<h2>Appendix A. - Vendor Information</h2>
<p>
This appendix contains information provided by vendors for this
advisory. As vendors report new information to the CERT/CC, we
will update this section and note the changes in our revision
history. If a particular vendor is not listed below or in the
individual <a
href="http://www.kb.cert.org/vuls/id/568148#systems">vulnerability
notes</a>, we have not received their comments.
</p>
<a name="microsoft">
<h4>Microsoft Corporation</h4>
<blockquote>
Apply the appropriate patch as specified by Microsoft Security Bulletin <a
href="http://microsoft.com/technet/security/bulletin/MS03-026.asp"
>MS03-026</a>.
</blockquote>
<!-- end vendor -->
<a name="nortel">
<h4>Nortel Networks</h4>
<blockquote>
<h4>Nortel Networks Response to <a
href="http://www.cert.org/advisories/CA-2003-16.html">CERT Advisory
CA-2003-16</a> - <i>Buffer Overflow in Microsoft RPC</i></h4>
<p>
Nortel Networks supplies and supports both integrated and
non-integrated solutions to its customers. We are taking this
opportunity to complement CERT and Microsoft information with
information specific to the potential impact of this vulnerability on
Nortel Networks products and solutions. As well we indicate how
Nortel Networks products can be used to help effect the mitigation
procedures recommended both by CERT and Microsoft.
</p>
<p>
A limited number of Nortel Networks products and solutions are
potentially affected by this issue, and the nature of these products
and solutions tends to place them within a private network.
Accordingly, if network perimeter protection is employed as
recommended by both CERT and Microsoft (i.e. blocking access to TCP &
UDP ports 135, 139, and 445) these products and solutions should not
be vulnerable to attacks from the public Internet.
</p>
<p>Nortel Networks would like to inform its customers and partners of
efforts currently under way to respond to this issue:
<ol>
<li><h5>Embedded Operating Systems</h5></li>
<p>Some Nortel Networks products employ embedded Windows Operating
Systems identified by Microsoft as vulnerable; Product Technical
Bulletins and patches are being developed.
</p>
<li><h5>Applications on Windows Operating Systems</h5></li>
<p>Some Nortel Networks applications reside on Windows Operating Systems
identified by Microsoft as vulnerable; the corresponding Microsoft
patches are being tested against the Nortel Networks applications to
confirm that their functionality will not be impacted.
</p>
<li><h5>Clients on Windows Operating Systems</h5></li>
<p>Some Nortel Networks clients reside on workstations supplied by
others, with Windows Operating Systems identified by Microsoft as
vulnerable; Nortel Networks recommends that customers follow the
recommendations of CERT and Microsoft and apply the appropriate
patches.
</p>
<li><h5>Nortel Networks Routing Products to be used for Port Blocking</h5></li>
<p>Nortel Networks routing products are not vulnerable to this issue,
but may be configured to protect customer networks by blocking access
to TCP & UDP ports 135, 139, and 445 at the network edge, as
recommended by CERT and Microsoft. Product-specific instructions for
port blocking configuration are available for the following Nortel
products:
<ul>
<li>Passport 6000</li>
<li>Shasta</li>
<li>Contivity</li>
<li>Alteon Switched Firewall</li>
<li>Passport 8600</li>
<li>BayRS</li>
</ul>
</ol>
</p>
<H4>Nortel Networks Product Status</H4>
<p>The following products, which in some way rely on a Microsoft
operating system, have been reviewed or are under review. Other
products may be added.
</p>
<h5>Not Vulnerable</h5>
<ul>
<li>Succession Multi-service Gateway 4000</li>
<li>Interactive Multimedia Server</li>
<li>Communication Server for Enterprise -- Multimedia Exchange</li>
<li>Multimedia PC Client</li>
<li>Optivity Telephony Manager</li>
<li>Optivity NetID</li>
<li>Optivity Policy Services</li>
<li>Optivity Switch Manager</li>
<li>Contivity Configuration Manager</li>
</ul>
<h5>Vulnerable</h5>
<ul>
<li>Symposium including TAPI ICM</li>
<li>CallPilot</li>
<li>Business Communications Manager</li>
<li>International Centrex-IP</li>
<li>Periphonics with OSCAR Speech Server</li>
</ul>
<h5>Under Review</h5>
<ul>
<li>Alteon Security Manager</li>
<li>Network Configuration Manager for BCM</li>
<li>Preside Site Manager</li>
<li>Preside System Manager Interface</li>
</ul>
<p>
If you have a Nortel Networks product which is not noted on the list
above, we are currently reviewing our extended product families to
identify if they use components of the Microsoft Operating System and
will issue an updated list as soon as new information is available.
</p>
<p>For more information please contact
<PRE><FONT TYPE="monospace">
North America: 1-800-4NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907
9009
</FONT></PRE>
</p>
<p>
Contacts for other regions are available at<br>
<blockquote>
<<a href="http://www.nortelnetworks.com/cs">http://www.nortelnetworks.com/help/contact/global/</a>>
</blockquote>
<br>
Or visit the eService portal at <<a
href="http://www.nortelnetworks.com/cs">http://www.nortelnetworks.com/cs</a>> under <i>Advanced
Search</i>.</p>
<p>If you are a channel partner, more information can
be found under <<a
href="http://www.nortelnetworks.com/pic">http://www.nortelnetworks.com/pic</a>>
under <i>Advanced Search</i>. </p>
</blockquote>
<!-- end vendor -->
<p>
<hr noshade>
This vulnerability was <a
href="http://marc.theaimsgroup.com/?l=bugtraq&m=105838687731618&w=2">discovered</a>
by The Last Stage of Delirium Research Group. Microsoft has published
Microsoft Security Bulletin <a
href="http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp">MS03-026</a>, upon which this document is largely based.
<hr noshade>
<p>Author: <a
href="mailto:cert@cert.org?subject=CA-2003-16%20Feedback%20VU%23568148">Ian A. Finlay</a>
<p></p>
<!--#include virtual="/include/footer_nocopyright2.html" -->
<p>Copyright 2003 Carnegie Mellon University.</p>
<p><a name="revisions">Revision History</a>
<tt><pre>
Jul 17, 2003: Initial release
Jul 21, 2003: Revised <a href="#solution.restrict">Restrict access</a> in <a href="#solution">Solution</a> section to add additional ports to block
Aug 2, 2003: Added <a href="#vendors">Appendix A - Vendor Information</a>
Aug 2, 2003: Added <a href="#nortel">Nortel</a> Vendor Statement from 08/01/2003
Aug 8, 2003: Added <a href="#solution.disable">Disable DCOM</a> workaround to <a href="#solution">Solution</a> section.
</pre></tt>
</p>
|