Lock IT Down: Critical flaw in RPCSS is similar to the cause of Blaster

If you overlook this important security flaw, youre putting your system at risk

Microsoft is urging users to patch their systems after the discovery of three new vulnerabilities in its version of the open source Remote Procedure Call (RPC) protocol, as detailed in Microsoft Security Bulletin MS03-039. This should be considered a particularly serious threat because it exploits a vulnerability that is similar to the one that allowed the Blaster worm to spread so quickly.

RPC is a protocol used to allow one computer to access another with no special intervention from the user. Microsoft has modified the RPC protocol by adding Microsoft Windows-specific extensions.

The problem lies in the portion of RPCSS that involves Distributed Component Object Model (DCOM)—better known in the past as Network OLE. A malformed message sent to the service can result in a buffer overrun.

Two earlier DCOM-related Security Bulletins—MS03-026 (July 6, 2003, "Buffer Overrun In RPC Interface Could Allow Code Execution") and MS01-048 (Sept. 10, 2001, "Malformed Request to RPC Endpoint Mapper can Cause RPC Service to Fail")—included patches that have been superseded by the ones provided in this latest bulletin.

RPCSS normally monitors UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593, but it will also monitor ports 80 and 443 if COM Internet Services (CIS) or RPC over HTTP is enabled.

This vulnerability is found in Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003. Microsoft reports, "RPCSS is enabled by default in all versions of Windows." The version of RPCSS that shipped with Windows Me is not affected by this vulnerability.

Risk level—Moderate to Critical
MS03-039 covers three vulnerabilities. Exploitation of two of them could result in the ability of the attacker to run any arbitrary code on the vulnerable system with local system privileges, while the other is slightly less dangerous, resulting in a denial of service event.

The vulnerabilities have been assigned the following universal Mitre CVE candidate designations:

Mitigating factors
Proper firewall configuration should mitigate outside attacks, but that's about all the good news.

Fix—Apply patch or workarounds
The patch in MS03-039 also replaces the one provided just a few weeks ago with MS03-026. Knowledge Base article 827363 includes more information about this vulnerability and offers a link to the KB824146scan.exe tool, which can be used to determine whether a system is vulnerable to these flaws or has already been patched.

A number of workarounds can be applied to reduce the risk until you get a chance to install the patch. Microsoft lists the following steps for protecting unpatched systems, but most will seriously degrade usability on many networks.

You can configure network firewalls to block UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593. Since it isn't normally practical to block port 80, you also need to disable CIS and RPC over HTTP. Although those are the default ports, other RPC ports may have been specifically configured and must also be blocked. Knowledge Base article 825819 explains how to disable CIS. See RPC over HTTP Security for additional information.

Remote PCs using a VPN connection to access the corporate network can be protected with a personal firewall. Windows XP and Windows 2003 ship with Microsoft's minimalist Internet Connection Firewall, which blocks inbound RPC traffic by default if the firewall is enabled.

An IPSec filter can also be used to block all the same ports mentioned above. MicrosoftKnowledge Base articles 313190 and 813878 explain how to apply filters in IPSec.

Another workaround is to disable DCOM, but this will not be practical on many systems, if only because disabling DCOM on remote systems will prevent you from remotely re-enabling it later.

These workarounds won't work on all versions and levels of the affected operating systems.

Final word
Although this newest vulnerability is not found in the almost completely unused Windows Me, it's important to note that this does affect the supposedly more secure Windows Server 2003—the flagship of Microsoft's newly discovered corporate emphasis on producing more secure software. On the other hand, lately I have seen fewer reports of new bugs caused by patches, so perhaps Trustworthy Computing is having some beneficial results (although it's important to remember that part of Trustworthy Computing is the promise to respond more quickly to newly discovered vulnerabilities, and that can also result in more security bulletins).

With MS03-039, nine patches are provided for various versions of the affected software. Some of the software isn't vulnerable to the DoS attack, and for others it poses only a Moderate threat, but the patch for each software version includes the fix for the arbitrary code execution vulnerability that is rated Critical on all affected systems.

Also watch out for…
Reuters reported that a Romanian man has been arrested and charged with releasing Blaster.F. Dan Dumitru Ciobanu reportedly confessed but claimed "it was all a mistake." This followed closely on the heels of the American teenager who bitterly complained that he was being portrayed as a geek and treated unfairly because he couldn't afford a high-profile lawyer after confessing to releasing another version of Blaster. Let's not forget that you have two responsibilities to your employer when it comes to viruses and worms. Obviously, you need to protect against attacks and any damage they might cause. But these days, you also need to make certain that your systems aren't used to launch attacks as a result of being taken over by a worm or because you have an in-house hacker.

If you are thinking of outsourcing computer maintenance, remember that not all security threats are electronic. Recently, two individuals posing as EDS technicians took two servers offline at the Sydney, Australia, airport. Not content with simply copying a few files, they loaded the servers on dollies and took them home. The servers apparently contained information relating to terrorists and international drug traffic.

RIAA has settled with the family of a 12-year-old girl in New York over her illegal downloading of copyrighted music. This should serve as a serious wake-up call for any administrators who have been lax in purging their servers and workstations of music files, along with Napster, Kazaa, and other P2P software. If RIAA is willing to take the sour PR from charging a child with this violation, consider how likely is it that it will be willing to tackle businesses that allow employees to steal music and store it on company-owned and controlled systems.

Editor's Picks

Free Newsletters, In your Inbox