CERT^® Advisory CA-2003-16 Buffer Overflow in Microsoft RPC

A complete revision history is at the end of this file.

Systems Affected

• Microsoft Windows NT 4.0
• Microsoft Windows NT 4.0 Terminal Services Edition
• Microsoft Windows 2000
• Microsoft Windows XP
• Microsoft Windows Server 2003

Overview

A buffer overflow vulnerability exists in Microsoft's Remote Procedure Call (RPC) implementation. A remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service.

I. Description

The CERT/CC is tracking this issue as VU#568148. This reference number corresponds to CVE candidate CAN-2003-0352.

II. Impact

III. Solution

Apply a patch from your vendor

Apply the appropriate patch as specified by >Microsoft Security Bulletin MS03-026.

Appendix A contains additional information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below or in the individual vulnerability notes, we have not received their comments. Please contact your vendor directly.

Restrict access

You may wish to block access from outside your network perimeter, specifically by blocking access to TCP & UDP ports 135, 139, and 445. This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.

Disable DCOM

Depending on site requirements, you may wish to disable DCOM as described in MS03-026. Disabling DCOM will help protect against this vulnerability, but may also cause undesirable side effects. Additional details on disabling DCOM and possible side effects are available in Microsoft Knowledge Base Article 825750.

Appendix A. - Vendor Information

This appendix contains information provided by vendors for this advisory. As vendors report new information to the CERT/CC, we will update this section and note the changes in our revision history. If a particular vendor is not listed below or in the individual vulnerability notes, we have not received their comments.

Apply the appropriate patch as specified by Microsoft Security Bulletin MS03-026.

Nortel Networks Response to CERT Advisory CA-2003-16 - Buffer Overflow in Microsoft RPC

Nortel Networks supplies and supports both integrated and non-integrated solutions to its customers. We are taking this opportunity to complement CERT and Microsoft information with information specific to the potential impact of this vulnerability on Nortel Networks products and solutions. As well we indicate how Nortel Networks products can be used to help effect the mitigation procedures recommended both by CERT and Microsoft.

A limited number of Nortel Networks products and solutions are potentially affected by this issue, and the nature of these products and solutions tends to place them within a private network. Accordingly, if network perimeter protection is employed as recommended by both CERT and Microsoft (i.e. blocking access to TCP & UDP ports 135, 139, and 445) these products and solutions should not be vulnerable to attacks from the public Internet.

Nortel Networks would like to inform its customers and partners of efforts currently under way to respond to this issue:

1. Embedded Operating Systems

Some Nortel Networks products employ embedded Windows Operating Systems identified by Microsoft as vulnerable; Product Technical Bulletins and patches are being developed.

2. Applications on Windows Operating Systems

Some Nortel Networks applications reside on Windows Operating Systems identified by Microsoft as vulnerable; the corresponding Microsoft patches are being tested against the Nortel Networks applications to confirm that their functionality will not be impacted.

3. Clients on Windows Operating Systems

Some Nortel Networks clients reside on workstations supplied by others, with Windows Operating Systems identified by Microsoft as vulnerable; Nortel Networks recommends that customers follow the recommendations of CERT and Microsoft and apply the appropriate patches.

4. Nortel Networks Routing Products to be used for Port Blocking

Nortel Networks routing products are not vulnerable to this issue, but may be configured to protect customer networks by blocking access to TCP & UDP ports 135, 139, and 445 at the network edge, as recommended by CERT and Microsoft. Product-specific instructions for port blocking configuration are available for the following Nortel products:

• Passport 6000
• Shasta
• Contivity
• Alteon Switched Firewall
• Passport 8600
• BayRS

Nortel Networks Product Status

The following products, which in some way rely on a Microsoft operating system, have been reviewed or are under review. Other products may be added.

Not Vulnerable

• Succession Multi-service Gateway 4000
• Interactive Multimedia Server
• Communication Server for Enterprise -- Multimedia Exchange
• Multimedia PC Client
• Optivity Telephony Manager
• Optivity NetID
• Optivity Policy Services
• Optivity Switch Manager
• Contivity Configuration Manager

Vulnerable

• Symposium including TAPI ICM
• CallPilot
• Business Communications Manager
• International Centrex-IP
• Periphonics with OSCAR Speech Server

Under Review

• Alteon Security Manager
• Network Configuration Manager for BCM
• Preside Site Manager
• Preside System Manager Interface

If you have a Nortel Networks product which is not noted on the list above, we are currently reviewing our extended product families to identify if they use components of the Microsoft Operating System and will issue an updated list as soon as new information is available.

For more information please contact

North America: 1-800-4NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907
9009

Contacts for other regions are available at

<http://www.nortelnetworks.com/help/contact/global/>

Or visit the eService portal at <http://www.nortelnetworks.com/cs> under Advanced Search.

If you are a channel partner, more information can be found under <http://www.nortelnetworks.com/pic> under Advanced Search.

Author: Ian A. Finlay

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:

CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

http://www.cert.org/CERT_PGP.key

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

http://www.cert.org/

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Copyright 2003 Carnegie Mellon University.

Revision History

Jul 17, 2003:  Initial release
Jul 21, 2003:  Revised Restrict access in Solution section to add additional ports to block
Aug  2, 2003:  Added Appendix A - Vendor Information
Aug  2, 2003:  Added Nortel Vendor Statement from 08/01/2003
Aug  8, 2003:  Added Disable DCOM workaround to Solution section.