CERT-SEI

Buffer Overflow in Microsoft RPC

Original release date: July 17, 2003
Last revised: Fri Aug  8 13:11 EDT 2003
Source: CERT/CC

A complete revision history is at the end of this file.


Systems Affected

  • Microsoft Windows NT 4.0
  • Microsoft Windows NT 4.0 Terminal Services Edition
  • Microsoft Windows 2000
  • Microsoft Windows XP
  • Microsoft Windows Server 2003

Overview

A buffer overflow vulnerability exists in Microsoft's Remote Procedure Call (RPC) implementation. A remote attacker could exploit this vulnerability to execute arbitrary code or cause a denial of service.


I. Description

There is a buffer overflow in Microsoft's RPC implementation. According to Microsoft Security Bulletin MS03-026, "There is a vulnerability in the part of RPC that deals with message exchange over TCP/IP. The failure results because of incorrect handling of malformed messages. This particular vulnerability affects a Distributed Component Object Model (DCOM) interface with RPC, which listens on TCP/IP port 135. This interface handles DCOM object activation requests that are sent by client machines (such as Universal Naming Convention (UNC) paths) to the server."

The CERT/CC is tracking this issue as VU#568148.  This reference number corresponds to CVE candidate CAN-2003-0352.

II. Impact

A remote attacker could exploit this vulnerability to execute arbitrary code with Local System privileges or to cause a denial of service.

III. Solution

Apply a patch from your vendor

Apply the appropriate patch as specified by >Microsoft Security Bulletin MS03-026.

 

    Appendix A contains additional information     provided by vendors for this advisory.  As vendors report new     information to the CERT/CC, we will update this section and note     the changes in our revision history.  If a particular vendor is     not listed below or in the individual vulnerability     notes, we have not received their comments.  Please contact     your vendor directly.  

Restrict access

You may wish to block access from outside your network perimeter, specifically by blocking access to TCP & UDP ports 135, 139, and 445. This will limit your exposure to attacks. However, blocking at the network perimeter would still allow attackers within the perimeter of your network to exploit the vulnerability. It is important to understand your network's configuration and service requirements before deciding what changes are appropriate.

Disable DCOM

Depending on site requirements, you may wish to disable DCOM as described in MS03-026. Disabling DCOM will help protect against this vulnerability, but may also cause undesirable side effects. Additional details on disabling DCOM and possible side effects are available in Microsoft Knowledge Base Article 825750.

Appendix A. - Vendor Information

 

    This appendix contains information provided by vendors for this     advisory.  As vendors report new information to the CERT/CC, we     will update this section and note the changes in our revision     history.  If a particular vendor is not listed below or in the     individual vulnerability     notes, we have not received their comments.  

Microsoft Corporation

Apply the appropriate patch as specified by Microsoft Security Bulletin MS03-026.

Nortel Networks

Nortel Networks Response to CERT Advisory CA-2003-16 - Buffer Overflow in Microsoft RPC

Nortel Networks supplies and supports both integrated and non-integrated solutions to its customers. We are taking this opportunity to complement CERT and Microsoft information with information specific to the potential impact of this vulnerability on Nortel Networks products and solutions. As well we indicate how Nortel Networks products can be used to help effect the mitigation procedures recommended both by CERT and Microsoft.

A limited number of Nortel Networks products and solutions are potentially affected by this issue, and the nature of these products and solutions tends to place them within a private network. Accordingly, if network perimeter protection is employed as recommended by both CERT and Microsoft (i.e. blocking access to TCP & UDP ports 135, 139, and 445) these products and solutions should not be vulnerable to attacks from the public Internet.

Nortel Networks would like to inform its customers and partners of efforts currently under way to respond to this issue:

  1. Embedded Operating Systems
  2. Some Nortel Networks products employ embedded Windows Operating Systems identified by Microsoft as vulnerable; Product Technical Bulletins and patches are being developed.

  3. Applications on Windows Operating Systems
  4. Some Nortel Networks applications reside on Windows Operating Systems identified by Microsoft as vulnerable; the corresponding Microsoft patches are being tested against the Nortel Networks applications to confirm that their functionality will not be impacted.

  5. Clients on Windows Operating Systems
  6. Some Nortel Networks clients reside on workstations supplied by others, with Windows Operating Systems identified by Microsoft as vulnerable; Nortel Networks recommends that customers follow the recommendations of CERT and Microsoft and apply the appropriate patches.

  7. Nortel Networks Routing Products to be used for Port Blocking
  8. Nortel Networks routing products are not vulnerable to this issue, but may be configured to protect customer networks by blocking access to TCP & UDP ports 135, 139, and 445 at the network edge, as recommended by CERT and Microsoft. Product-specific  instructions for port blocking configuration are available for the following Nortel products:

    • Passport 6000
    • Shasta
    • Contivity
    • Alteon Switched Firewall
    • Passport 8600
    • BayRS

Nortel Networks Product Status

The following products, which in some way rely on a Microsoft operating system, have been reviewed or are under review. Other products may be added.

Not Vulnerable
  • Succession Multi-service Gateway 4000
  • Interactive Multimedia Server
  • Communication Server for Enterprise -- Multimedia Exchange
  • Multimedia PC Client
  • Optivity Telephony Manager
  • Optivity NetID
  • Optivity Policy Services
  • Optivity Switch Manager
  • Contivity Configuration Manager
Vulnerable
  • Symposium including TAPI ICM
  • CallPilot
  • Business Communications Manager
  • International Centrex-IP
  • Periphonics with OSCAR Speech Server
Under Review
  • Alteon Security Manager
  • Network Configuration Manager for BCM
  • Preside Site Manager
  • Preside System Manager Interface

If you have a Nortel Networks product which is not noted on the list above, we are currently reviewing our extended product families to identify if they use components of the Microsoft Operating System and will issue an updated list as soon as new information is available.

For more information please contact


North America: 1-800-4NORTEL or 1-800-466-7835
Europe, Middle East and Africa: 00800 8008 9009, or +44 (0) 870 907
9009

Contacts for other regions are available at

<http://www.nortelnetworks.com/help/contact/global/>

Or visit the eService portal at <http://www.nortelnetworks.com/cs> under Advanced Search.

If you are a channel partner, more information can be found under <http://www.nortelnetworks.com/pic> under Advanced Search.


This vulnerability was discovered by The Last Stage of Delirium Research Group. Microsoft has published Microsoft Security Bulletin MS03-026, upon which this document is largely based.

Author: Ian A. Finlay

Copyright 2003 Carnegie Mellon University.

Revision History

Jul 17, 2003:  Initial release
Jul 21, 2003:  Revised Restrict access in Solution section to add additional ports to block
Aug  2, 2003:  Added Appendix A - Vendor Information
Aug  2, 2003:  Added Nortel Vendor Statement from 08/01/2003
Aug  8, 2003:  Added Disable DCOM workaround to Solution section.